Critical CocoaPods Flaws Exposed Many iOS, macOS Apps to Supply Chain Attacks

Critical vulnerabilities in the CocoaPods dependency manager could have allowed threat actors to take over thousands of orphaned packages, execute shell commands, and take over accounts, potentially impacting millions of iOS and macOS applications, red teaming firm EVA Information Security reports.
CocoaPods, an open source dependency manager for Swift and Objective-C Cocoa projects, has more than 100,000 libraries, and is used by over three million applications across the Apple ecosystem.
In 2014, CocoaPods migrated to a Trunk server acting as a centralized repository and distribution platform, a process that left thousands of orphaned packages, as authorship was reset for all pods and for many the previous owner was not known.
While Podspec authors were asked to claim ownership of pods and retain control over them, 1,866 packages, including many that are widely used in other libraries, remain orphaned.
What EVA discovered was that all pods that had never been claimed were automatically associated with a default owner using the same email address, and that the public API for claiming ownership was still available, essentially allowing anyone to claim the pods as their own.
An attacker could exploit the vulnerability - tracked as CVE-2024-38368 - to take over known orphaned pods and modify their contents or replace it with malicious code.
The second vulnerability, tracked as CVE-2024-38366, is a remote code execution bug in the authentication server for CocoaPods, which executes a shell command to validate the email domain when a developer registers as a pod owner.
According to EVA, vulnerable methods used by the RFC822 during the email verification process allow the attacker to inject a bash command that will be executed on the Trunk server.
An attacker could exploit this insecure email verification workflow to manipulate or replace packages being downloaded.
The third vulnerability, tracked as CVE-2024-38367, is also related to the authentication process, allowing an attacker to hijack a pod owner's session and take over the CocoaPods trunk account.
EVA noticed that an attacker could spoof the X-Forwarded-Host header used for identification and that the server would use the spoofed header to construct the URL sent via email.
The URL could lead users to third-party websites that could steal their session cookies.
By having the session validation link sent automatically to their server, the attacker could then escalate this to a zero-click attack.
CocoaPods addressed these vulnerabilities server-side in September and October 2023 and exploitation is no longer possible.


This Cyber News was published on www.securityweek.com. Publication date: Tue, 02 Jul 2024 13:43:05 +0000


Cyber News related to Critical CocoaPods Flaws Exposed Many iOS, macOS Apps to Supply Chain Attacks

Software Supply Chain Security Checklist - In the ever-evolving landscape of digital innovation, the integrity of software supply chains has become a pivotal cornerstone for organizational security. Software supply chain security is not just about protecting code - it's about safeguarding the ...
10 months ago Feeds.dzone.com
'Almost every Apple device' vulnerable to CocoaPods The Register - CocoaPods, an open-source dependency manager used in over three million applications coded in Swift and Objective-C, left thousands of packages exposed and ready for takeover for nearly a decade - thereby creating opportunities for supply chain ...
5 months ago Packetstormsecurity.com
Apple CocoaPods Bugs Expose Millions of Apps to Code Injection - A near inconceivable number of Apple apps have been exposed to critical vulnerabilities in a popular dependency manager for years now. CocoaPods is a platform that developers in Apple's ecosystem use to add and manage external libraries. This makes ...
5 months ago Darkreading.com
Critical CocoaPods Flaws Exposed Many iOS, macOS Apps to Supply Chain Attacks - Critical vulnerabilities in the CocoaPods dependency manager could have allowed threat actors to take over thousands of orphaned packages, execute shell commands, and take over accounts, potentially impacting millions of iOS and macOS applications, ...
5 months ago Securityweek.com
New "MITRE ATT&CK-like" framework outlines software supply chain attack TTPs - A new open framework seeks to outline a comprehensive and actionable way for businesses and security teams to understand attacker behaviors and techniques specifically impacting the software supply chain. The Open Software Supply Chain Attack ...
1 year ago Csoonline.com
CVE of the month, the supply chain attack hidden for 10 years CVE-2024-38368 - CVE-2024-38368 is a vulnerability that affects the open-source supply chain of iOS and MacOS applications. CocoaPod is a dependency manager for Swift and Objective-C, essentially it is the NPM, RubyGems or PyPi equivalent of Swift and Objective-C. ...
5 months ago Securityboulevard.com
CISA Announces Renewal of the Information and Communications Technology Supply Chain Risk Management Task Force - The Task Force, chaired by CISA's National Risk Management Center and the Information Technology and Communications Sector Coordinating Councils, is a public-private partnership composed of a diverse range of representatives from public and private ...
10 months ago Cisa.gov
ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store - On Android devices, one of the apps analyzed by researchers has more than 100,000 downloads, tracks, and shares location data with ByteDance and Amazon, etc. ChatGPT, the AI software, has already taken the Internet by storm, and that is why ...
1 year ago Hackread.com
Data Insecurity: Experts Sound the Alarm on 4 Apps Putting User Privacy at Risk - Even though many of us rely on apps to entertain us, guide us, manage our exercise, and connect with family and friends, they are notoriously hard to trust. In an age when technology is constantly evolving, it is almost impossible to tell if a ...
1 year ago Cysecurity.news
Malware-laced JAVS Viewer deploys RustDoor implant in supply chain attack - MUST READ. Malware-laced JAVS Viewer deploys RustDoor implant in supply chain attack. Sweden's liquor supply severely impacted by ransomware attack on logistics company. Microsoft fixed two zero-day bugs exploited in malware attacks. Threat actors ...
6 months ago Securityaffairs.com
UK, ROK sound alarm over North Korean supply chain attacks The Register - The national cybersecurity organizations of the UK and the Republic of Korea have issued a joint advisory warning of an increased volume and sophistication of North Korean software supply chain attacks. "In an increasingly digital and interconnected ...
1 year ago Theregister.com
SCS 9001 2.0 reveals enhanced controls for global supply chains - In this Help Net Security interview, Mike Regan, VP of Business Performance at TIA, discusses SCS 9001 Release 2.0, a certifiable standard crafted to assist organizations in operationalizing the NIST and other government guidelines and frameworks. ...
1 year ago Helpnetsecurity.com
Over 1,450 pfSense servers exposed to RCE attacks via bug chain - Roughly 1,450 pfSense instances exposed online are vulnerable to command injection and cross-site scripting flaws that, if chained, could enable attackers to perform remote code execution on the appliance. PfSense is a popular open-source firewall ...
1 year ago Bleepingcomputer.com
Securing the Supply Chain - Before a supply chain can be improved, it must be understood. Rather than attacking one target, it is more effective to manipulate the supply chain to gain access to multiple targets. The 2013 Target breach was an example of a supply chain attack, as ...
1 year ago Securityweek.com
New Survey Finds a Paradox of Confidence in Software Supply Chain Security - Get results of and analysis on ESG's new survey on supply chain security. New research reveals that, despite increasing attacks and incidents against software supply chains, a surprising number of firms believe their defense is sufficient. This gap ...
7 months ago Securityboulevard.com
How AI could bolster software supply chain security - SAN FRANCISCO - While supply chain risks remain prevalent across enterprises of all sizes, Synopsys' Tim Mackey said AI tools will enable developers more than attackers - at least for now. Supply chain security was a significant topic that speakers ...
6 months ago Techtarget.com
Assessing and mitigating cybersecurity risks lurking in your supply chain - Most involve the supply of software and digital services, or at least are reliant in some way on online interactions. SMBs in particular may not proactively be looking, or have the resources, to manage security in their supply chains. Blindly ...
10 months ago Welivesecurity.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
Halting Hackers on the Holidays 2023 Part II: The Apps You Trust - Most free flashlight apps are creepware - also known as malware that spies on you and your online behavior and could pass along information to others. The problem doesn't begin and end with flashlight apps, though. Many seemingly innocuous apps that ...
1 year ago Cyberdefensemagazine.com
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
8 months ago Itsecurityguru.org
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
8 months ago Itsecurityguru.org
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
8 months ago Itsecurityguru.org
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
8 months ago Itsecurityguru.org
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
8 months ago Itsecurityguru.org
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
8 months ago Itsecurityguru.org

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)