In a new revelation, millions of iOS and macOS applications have been found vulnerable to a security breach that could be leveraged for supply-chain attacks. This breach, uncovered by EVA Information Security, highlights significant flaws in CocoaPods, an open-source dependency manager widely used in app development for Apple platforms.

The security breach centers around an insecure email verification mechanism used to authenticate developers of individual pods (libraries). This mechanism allowed attackers to manipulate the URL in a verification link to point to a malicious server. Consequently, attackers could gain access to sensitive app data, such as credit card details, medical records, and private materials. The data could then be exploited for various malicious purposes, including ransomware, fraud, blackmail, and corporate espionage.

EVA Information Security’s investigation revealed that approximately 3 million iOS and macOS apps built with CocoaPods have been vulnerable for nearly a decade. The exploit could have potentially allowed attackers to insert malicious code into many popular applications, compromising the security of millions of users.

This is not the first time CocoaPods has faced security challenges. In 2021, the maintainers confirmed a vulnerability that allowed repositories to execute arbitrary code on the servers, enabling attackers to replace legitimate packages with malicious ones. The recent discovery by EVA Information Security highlights three critical flaws in the CocoaPods dependency manager, all of which have now been patched. Developers now need to re-evaluate and verify the integrity of open-source dependencies used within their applications, as well as ensure that their COCOAPODS_TRUNK_TOKEN is up-to-date for enhanced security (since outdated tokens could leave your development environment vulnerable).

The first vulnerability, CVE-2024-38368, with a CVSS score of 9.3, allowed attackers to abuse the “Claim Your Pods” process to take control of a package and modify its source code. The second vulnerability, CVE-2024-38366, with a CVSS score of 10.0, exploited an insecure email verification workflow to execute arbitrary code on the Trunk server. The third, CVE-2024-38367, with a CVSS score of 8.2, involved manipulating a verification link to redirect requests to an attacker-controlled domain, thereby gaining access to developers’ session tokens.

The potential impact of these vulnerabilities is profound. They posed a severe risk to downstream customers, allowing malicious actors to insert harmful code into popular iOS and macOS applications. The roots of the problem trace back to 2014, when a migration to the Trunk server left thousands of packages with unknown or unclaimed owners. Attackers could exploit this by using a public API to claim these pods and insert malicious code. Upon discovering the vulnerabilities, EVA researchers privately notified CocoaPods developers. The CocoaPods team responded promptly, wiping all session keys to prevent unauthorized access and introducing new procedures for recovering orphaned pods. Developers are now required to contact the company directly to take control of these dependencies, enhancing security.