A trio of security flaws were discovered in the CocoaPods dependency manager for Swift and Objective-C Cocoa projects that can be used to orchestrate attacks on software supply chains, putting downstream customers at serious risk.
The vulnerabilities allow “any malicious actor to claim ownership of thousands of unsolicited packages and inject malicious code into many of the most popular iOS and macOS applications,” EVA Information Security researchers Rif Spector and Eran Vaknin note said in a report released today.
The Israeli app security firm said three issues have since surfaced patched up by CocoaPods as of October 2023. It also resets all user sessions at that time in response to the disclosure.
One of the vulnerabilities CVE-2024-38368 (CVSS score: 9.3), which allows an attacker to abuse “Claim your pods” process and take control of the package, effectively allowing them to tamper with the source code and make malicious changes. However, this required all previous maintainers to be removed from the project.
The roots of the problem go back to 2014, when the migration to the village took place Trunk server left thousands of packages with unknown (or unclaimed) owners, allowing an attacker to use the public API for obtaining pods and an email address that was available in the CocoaPods source code (“unclaimed-pods@cocoapods.org”) to take control.
The second error is even more critical (CVE-2024-38366CVSS score: 10.0) and takes advantage of an insecure email validation workflow to run arbitrary code on the backbone server, which can then be used to manipulate or replace packets.
The service also discovered a second issue in the email address verification component (CVE-2024-38367CVSS score: 8.2) that can trick a recipient into clicking a seemingly benign verification link, when in reality it’s redirecting the request to an attacker-controlled domain to access developer session tokens.
Even worse, this can be turned into a zero-click account takeover attack by forging an HTTP header, ie. X-redirected host header field – and taking advantage of misconfigured email security tools.
“We found that almost every package owner is registered with their organizational email on the backbone server, making them vulnerable to our click-through vulnerability,” the researchers said.
This isn’t the first time CocoaPods has come under the scanner. In March 2023 Checkmarx revealed that the remaining subdomain associated with the dependency manager (“cdn2.cocoapods(.)org”) could have been hijacked by an adversary via GitHub pages to host their payloads.