Three critical vulnerabilities have been discovered in the dependency supervisor for Swift and Objective-C Cocoa projects, which could be exploited by attackers to compromise software supply chains, posing an extreme risk to downstream targets.
Thousands of unclaimed Apple devices’ security vulnerabilities, allowing malicious actors to claim possession and inject malicious code into numerous popular iOS and macOS features, according to a report by E.V.A. Information Security researchers Reef Spektor and Eran Vaknin published today.
As of October 2023, the Israeli software safety agency has confirmed that the three points were subsequently addressed by CocoaPods. The changes also automatically reset all personal timers across the platform following the public announcements.
One significant vulnerability, identified as CVE-2024-38368 (CVSS rating: 9.3), allows attackers to exploit the “unvalidated path traversal” mechanism, enabling them to gain control of a package and manipulate its source code, potentially introducing malicious changes. Notwithstanding this, it was essential to ensure that all previous maintainers were completely disconnected from the project.
The root cause of the problem dates back to 2014, when a migration effort left thousands of packages with unknown or unresponsive owners, creating an opportunity for attackers to exploit a public API claiming pods and utilize an email address (“unclaimed-pods@cocoapods.org”) within the CocoaPods source code to seize control.
The second vulnerability, designated CVE-2024-38366 with a CVSS rating of 10.0, poses a significantly more severe threat as it exploits an insecure email verification process, enabling attackers to execute arbitrary code on Trunk servers and potentially manipulate or disseminate packages.
The additional vulnerability identified within email handle verification (CVE-2024-38367, CVSS rating: 8.2) exploits a recipient’s trust by luring them into clicking on what appears to be a harmless verification link, which instead redirects the request to an attacker-controlled domain, thereby granting access to a developer’s session tokens.
Without proper email security configurations in place, malicious actors can actually exacerbate problems by transforming these attacks into zero-click account takeover exploits via clever manipulation of HTTP headers – specifically, tampering with the header subject – thus capitalizing on unsuspecting vulnerabilities.
Researchers revealed that almost every Pod owner has registered their organisational email on the Trunk server, leaving them vulnerable to a zero-click takeover exploit.
CocoaPods, a package manager for iOS and macOS projects, has faced scrutiny on multiple occasions. In March 2023, Checkmarx detected a potentially compromised subdomain connected to its dependency supervisor (“cdn2.cocoapods.org”) that may have been hijacked by an attacker via GitHub Pages for the purpose of hosting malicious payloads.
