A recent discovery by security researchers at EVA Information Security has revealed that vulnerabilities in a software dependency management tool used by developers of applications for Apple’s iOS and MacOS platforms could have allowed for potential supply chain attacks. The security weakness in the CocoaPods dependency manager could have enabled hackers to insert malicious code into some of the most popular apps on these platforms.

CocoaPods, an open-source dependency manager for Swift and Objective-C projects, is typically used by software developers to verify the integrity and authenticity of the components they are using in their applications. By ensuring that the checksums and digital signatures of packages are correct, developers can trust that the code they are utilizing is secure. However, flaws in the CocoaPods ecosystem made it possible for malicious parties to claim ownership over thousands of unclaimed code “pods” and inject malicious code into them as part of a supply chain attack.

This issue stemmed from a migration process that occurred 10 years ago, leaving thousands of orphaned packages in the system. Despite being orphaned, many of these software packages were still being used by other applications. An attacker could claim ownership over these pods using a publicly available API and an email address found in the CocoaPods source code, allowing them to replace the original source code with their own malicious code. This could then lead to the infection of downstream dependencies, affecting a wide range of popular applications such as Facebook, Whatsapp, Safari, TikTok, and Netflix.

The security researchers identified 685 Pods that had an explicit dependency on orphaned Pods, potentially just a fraction of the true number when considering proprietary codebases. Furthermore, a separate vulnerability (CVE-2024-38368) allowed attackers to infiltrate the CocoaPods ‘Trunk’ server by exploiting an insecure email verification workflow. This could enable attackers to manipulate or replace the packages being downloaded, leading to supply chain and zero-day attacks.

Reef Spektor, VP of research at EVA Information Security, emphasized the significance of these vulnerabilities, highlighting the potential impact on both Apple ecosystem consumers and enterprises developing applications. He emphasized the need for developers to review their dependency lists and package managers, validate checksums of third-party libraries, and conduct periodic scans to detect malicious code or suspicious changes.

EVA has already informed CocoaPods of these issues, and the vulnerabilities have been patched. Developers are urged to follow best practice guidelines, limit the use of orphaned or unmaintained packages, and remain vigilant against potential supply chain attacks. Supply chain attacks are an ongoing risk for those relying on third-party software, and as technology continues to evolve, attackers are finding more sophisticated ways to exploit vulnerabilities in the software supply chain.

Lidhja e burimit