A trio of security flaws has been found in the CocoaPods dependency manager for Swift and Objective-C Cocoa projects that could lead to software supply chain attacks, posing risks to downstream customers.
The vulnerabilities could allow malicious actors to take control of unclaimed pods and insert malicious code into popular iOS and macOS applications, as reported by E.V.A Information Security researchers Reef Spektor and Eran Vaknin in a recent publication.
CocoaPods has patched these vulnerabilities as of October 2023 and reset all user sessions in response to the disclosures.
One of the vulnerabilities is CVE-2024-38368, allowing an attacker to take over a package and tamper with the source code, provided all prior maintainers have been removed from the project.
In 2014, a migration to the Trunk server left many packages with unclaimed owners, enabling attackers to claim pods and exploit vulnerabilities.
Another critical bug, CVE-2024-38366, enables attackers to run arbitrary code on the Trunk server, potentially manipulating packages.
The third issue, CVE-2024-38367, involves email address verification and can lead to account takeover attacks by tricking users into clicking malicious links.
Researchers warn that almost every pod owner is at risk of a zero-click takeover vulnerability due to the organizational email registration on the Trunk server.
Checkmarx previously disclosed a hijacking vulnerability in CocoaPods in March 2023, highlighting risks associated with abandoned sub-domains.
