An alarming number of Apple apps have been at risk due to critical vulnerabilities in a widely used dependency manager, CocoaPods.
CocoaPods, a platform utilized by developers in Apple’s ecosystem to incorporate and manage external libraries, contains over 100,000 libraries that are utilized by more than three million apps worldwide. Among the popular apps that depend on CocoaPods are Instagram, X, Slack, Airbnb, Tinder, and Uber. Given the extensive usage of these libraries, they become prime targets for potential hackers, as any underlying vulnerabilities within the CocoaPods platform could result in a significant breach.
Recently, E.V.A Information Security disclosed a report highlighting three serious vulnerabilities within the CocoaPods platform. The most critical vulnerability, CVE-2024-38366, provided a remote code execution (RCE) exploit, earning a CVSS rating of 10 out of 10. Another noteworthy bug, caused by ownerless pods, CVE-2024-38368, was rated 9.3, while an 8.2 rating was assigned to the session verification-hijacking issue CVE-2024-38367.
According to Alon Boxiner, CEO, and co-founder of E.V.A, the impact of these vulnerabilities is immense, as it affects a vast number of apps that rely on CocoaPods.
The root of the problem lies in CocoaPods’ mishandling of APIs, dating back to its development in 2011. In 2014, CocoaPods transitioned from a GitHub-based authentication system to a new Trunk server, which resulted in the central repository and distribution platform for the platform. However, during the migration process, ownership of pods was reset, leaving many dependencies orphaned and abandoned over time.
Shockingly, the public API endpoint for claiming pods remained accessible for nine years following the migration to Trunk. This oversight allowed individuals with knowledge of the vulnerability to claim ownership of any pod, modify it with malicious code, and distribute the modified version to Apple apps, potentially compromising their security.
Despite the severity of this vulnerability, E.V.A uncovered another critical bug linked to RubyGem, a component integrated into CocoaPods for validating user email addresses. Vulnerabilities within the RubyGem package rfc-22 enabled attackers to inject malicious code during the account validation process, granting them complete control over the Trunk service and all associated pods.
Fortunately, CocoaPods released patches to address these vulnerabilities in October, reducing the risk posed by these security flaws. However, the concealed nature of software supply chain bugs and the vast number of pods at risk suggest that potential exploitation could have occurred unnoticed.
To mitigate the risk, developers are advised to follow remediation steps recommended by E.V.A, such as checking for orphaned pods and reviewing all third-party code dependencies thoroughly. This incident underscores the importance of addressing supply chain risks in software development to prevent blind spots that could be exploited by attackers.
Dark Reading has contacted Apple for further comments on the matter. Alon Boxiner emphasizes the significance of supply chain risk management, emphasizing the importance of safeguarding against vulnerabilities in dependencies utilized in software development.
Croatian 
English 
Albanian 
Serbian 