Many macOS and iOS applications were exposed to a vulnerability in CocoaPods, an open source dependency manager, EVA Information Security disclosed on July 1. The vulnerability has been patched since EVA first discovered it and there have been no attacks that are conclusively linked to it.
However, the case is interesting because the vulnerability went unnoticed for a long time and highlighted that developers should be careful with open source libraries. The vulnerability is a good reminder for developers and DevOps teams to check whether any of their organizations' devices could be affected.
According to EVA, “thousands of apps and millions of devices” could have been affected downstream. The security team claims to have found vulnerable CocoaPods in “documentation or terms of service documents for apps provided by Meta (Facebook, WhatsApp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.”
EVA reported the vulnerability to CocoaPods in October 2023, at which time it was patched.
“The CocoaPods team responded responsibly and quickly to the vulnerabilities once they were disclosed,” EVA Information Security wrote.
Vulnerabilities originating in CocoaPods
CocoaPods is a dependency manager for Swift and Objective-C projects, and verifies the legitimacy of open source components. EVA Information Security was not initially looking for vulnerabilities in CocoaPods; instead, the team discovered them while working on a red team for a client.
SEE: CISA recommends using memory-safe programming languages for open source projects.
EVA reported several causes for the vulnerabilities. First, CocoaPods migrated from GitHub to a “trunk” server in 2014, but pod owners had to manually reclaim their pods. Some of them failed to do so, leaving 1,866 “orphaned” pods that remained untouched for the next 10 years. Anyone could email CocoaPods to claim those pods, which would have allowed attackers to inject malicious content.
Second, attackers could execute malicious code on the backbone server itself by leveraging an insecure email verification workflow. From there, they could manipulate or replace packages downloaded from that server.
Third, attackers could steal account verification tokens by spoofing an HTTP header and leveraging misconfigured email security tools. From there, they could use that token to change packets on the CocoaPods server, potentially leading to zero-day and supply-chain attacks.
What developers and DevOps teams can do to mitigate CocoaPods vulnerabilities
The CocoaPods vulnerabilities are a good reminder for developers and DevOps teams to not forget about dependency managers, who could be a potential weak link in supply chain security. To handle CocoaPods vulnerabilities, developers and DevOps teams should double-check open source dependencies used in their application code.
EVA suggested:
- If you are using software that depends on orphaned CocoaPods packages, keep your podfile.lock file synchronized with all CocoaPods developers to ensure that everyone has the same version of the packages.
- Review the dependency lists and package managers used in your applications.
- Validate checksums from third-party libraries.
- Perform periodic scans of external libraries, especially CocoaPods, to detect malicious code or suspicious changes.
- Keep your software up to date.
- Limit the use of orphaned or unmaintained CocoaPods packages.
- Beware of possible exploitation of widely used dependencies like CocoaPods.
