Recent discoveries have unveiled severe vulnerabilities within CocoaPods, a dependency manager essential for iOS and macOS application development. These security flaws could lead to significant supply chain attacks, jeopardizing numerous applications.
Diving into the details
The vulnerabilities were first brought to light by Eva, revealing critical weaknesses in CocoaPods' trunk infrastructure.
- A threat actor could exploit the vulnerability identified as CVE-2024-38368 (CVSS score: 9.9) to commandeer orphaned pods, altering their contents or substituting them with malicious code.
- The researchers spotted references to orphaned pods in the documentation or terms of service of applications from Meta (Facebook, WhatsApp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many others. In total, they identified 685 pods with explicit dependencies on an orphaned pod.
- The second vulnerability, CVE-2024-38366 (CVSS score: 9.0), is a remote code execution flaw in the CocoaPods authentication server. It runs a shell command to validate the email domain when a developer registers as a pod owner.
- The third vulnerability, CVE-2024-38367 (CVSS score: 8.0), also affects the authentication process, enabling an attacker to hijack a pod owner’s session and take control of the CocoaPods trunk account.
Potential impact
The vulnerabilities have vast implications, as any app integrating libraries through CocoaPods could be at risk. The exploit allows attackers to alter the software update process, inserting harmful payloads into applications. This highlights the urgent need for stringent security measures when managing software dependencies.
The bottom line
In response, CocoaPods detailed the steps taken to mitigate these risks. They have reinforced their trunk infrastructure and urged developers to update their projects and scrutinize their dependencies. The incident underscores the critical importance of securing the software supply chain. While dependency managers like CocoaPods enhance development efficiency, they also present attractive targets for attackers. Developers must remain vigilant and adopt robust security practices to safeguard their applications and users.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_316764488.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/eff0_shutterstock_669652948.jpg)
