A significant security vulnerability has been discovered within the CocoaPods dependency manager, critical for Swift and Objective-C Cocoa projects. This flaw has the potential to facilitate software supply chain attacks, posing serious threats to downstream users. Researchers from E.V.A Information Security reported that these vulnerabilities could allow malicious actors to assert control over thousands of unclaimed pods, subsequently inserting harmful code into widely used iOS and macOS applications.
The vulnerabilities exploited by attackers focus on the CocoaPods system’s management of unregistered packages. Historically, during a shift to the CocoaPods Trunk server in 2014, numerous packages were left without claimed ownership. As a result, attackers could leverage a public API to take control of these pods by utilizing a readily accessible email address embedded within CocoaPods’ source code. Specifically, one critical weakness, cataloged as CVE-2024-38368, allows an attacker to manipulate the “Claim Your Pods” process, enabling them to tamper with source code provided all previous maintainers are removed from the project.
CocoaPods promptly addressed these vulnerabilities in October 2023, implementing patches and resetting user sessions to mitigate any potential harm from these security flaws. However, the issue underscores systemic weaknesses that were already prevalent, illustrating how the lack of robust security measures can leave software ecosystems vulnerable.
In addition to the aforementioned vulnerability, a second critical flaw, tracked as CVE-2024-38366, boasts a perfect CVSS score of 10.0. This vulnerability exploits a weak email verification process, granting attackers the ability to execute arbitrary code on the Trunk server, thereby manipulating or replacing packages without user consent. This serious oversight places numerous applications at risk, urging swift action from affected parties to secure their dependencies.
Moreover, a related issue exists within the email verification system, identified as CVE-2024-38367. This flaw permits attackers to deceive recipients into clicking malicious verification links that redirect to an adversary-controlled domain, intended to capture session tokens. The implications are further exacerbated when attackers employ tactics to spoof HTTP headers, enabling zero-click account takeover attacks, thus compromising security without any user interaction.
The findings from the E.V.A research team reveal that the majority of pod owners are registered with their corporate email addresses on the Trunk server, rendering them particularly susceptible to the suggested zero-click takeover vulnerabilities. This discovery raises red flags about effective security protocols and the need for enhanced vigilance among developers and organizations utilizing CocoaPods services.
The vulnerabilities in CocoaPods are not unprecedented. Earlier in 2023, Checkmarx unveiled that an outdated subdomain associated with CocoaPods could have been hijacked through GitHub Pages, highlighting existing risks in dependence management systems. As organizations increasingly rely on open-source frameworks, the incident serves as a stark reminder that the security of supply chains must be prioritized.
In considering the potential tactics involved in these vulnerabilities, the MITRE ATT&CK framework provides valuable insights. Techniques such as initial access through insecure API exploitation and persistence through code injection are closely related to the vulnerabilities revealed in CocoaPods. Such frameworks are essential in identifying the behavioral patterns of adversaries, allowing organizations to refine their security strategies and mitigate risks effectively. The recent incidents involving CocoaPods underscore the ongoing necessity for heightened security awareness and effective incident responses within the tech community.
