Major Vulnerabilities in CocoaPods Threaten iOS and macOS Apps with Supply Chain Attacks

Three significant security vulnerabilities have been discovered in CocoaPods, a dependency manager for Swift and Objective-C Cocoa projects, potentially enabling software supply chain attacks that pose severe risks to downstream customers.

According to a report by E.V.A Information Security researchers Reef Spektor and Eran Vaknin, these flaws allow malicious actors to claim ownership of numerous unclaimed pods and inject malicious code into many popular iOS and macOS applications. The Israeli application security firm reported that CocoaPods patched these vulnerabilities as of October 2023 and reset all user sessions in response to the disclosures.

One vulnerability, CVE-2024-38368 (CVSS score: 9.3), could be exploited to abuse the “Claim Your Pods” process, enabling attackers to control a package, tamper with its source code, and introduce malicious changes. This exploitation required the removal of all previous maintainers from the project.

The issue originated in 2014 when a migration to the Trunk server left thousands of packages with unknown or unclaimed owners. This allowed attackers to use a public API for claiming pods and an email address available in the CocoaPods source code (“unclaimed-pods@cocoapods.org“) to take control.

A second vulnerability, CVE-2024-38366 (CVSS score: 10.0), exploited an insecure email verification workflow to run arbitrary code on the Trunk server, which could be used to manipulate or replace packages.

The third flaw, CVE-2024-38367 (CVSS score: 8.2), involved an issue in the email verification component that could trick a recipient into clicking a seemingly benign verification link. This link would reroute the request to an attacker-controlled domain, granting access to a developer’s session tokens. This vulnerability could be escalated to a zero-click account takeover by spoofing an HTTP header (specifically, the X-Forwarded-Host header field) and exploiting misconfigured email security tools.

The researchers noted that almost every pod owner is registered with their organizational email on the Trunk server, making them susceptible to the zero-click takeover vulnerability.

CocoaPods had faced scrutiny before. In March 2023, Checkmarx revealed that an abandoned sub-domain associated with the dependency manager (“cdn2.cocoapods[.]org”) could have been hijacked by an adversary via GitHub Pages to host their payloads.