It is said that serious problems exist in the popular dependency management tool CocoaPods, which has been used in millions of apps for iPhone, Mac and Co. for almost nine years. This is what IT researchers from security provider Eva Security said in a report New paperwhich was released on Monday. According to the information, it was at least theoretically possible for attackers to take over the libraries (called “pods” in the Cocoapods language) at will and use them to install malware. In this way, attacks on the intensive supply chain would have been possible.
Advertisement
Countless libraries are ownerless and up for grabs
Cocoapods is a Open source project that brings together more than 100,000 libraries and, according to the creators, in “more than 3 million apps”.. The tool is advertised as, “CocoaPods helps you scale your project gracefully.” The Ruby-based dependency manager is intended for Swift and Objective-C projects. Eva Security found that CocoaPods moved all pods to a new “trunk server” on GitHub in 2014. The authors of each library were simply reset. CocoaPods then asked developers to “claim” their respective libraries.
However, not everyone did so. Amazing 1870 pods Currently there is still the owner name “?”, so they are completely without it. With the acquisition, it became possible to inject code into a Swift or Objective-C project that uses one of these libraries. The incident is held by EVA Security under CVE ID 2024-38368 Submitted and had a CVSS score of 9.3. (The worst vulnerabilities reach a score of 10.)
Gap is gone, control is better
The attack was very easy to implement: to take over a pod, the attacker only had to make a curl request. The library can then be crafted with malware or other code at will, which then ends up in apps using the library via Cocoapods. The use of Cocoapods affects not only small developers, but also big names such as Amazon, Microsoft, TikTok, Meta or even Apple, according to Eva Security. It is currently impossible to say whether attacks on the supply chain have actually occurred via this route. However, it is conceivable. Eva Security discovered the problem not through analysis of Cocoapods themselves, but during red teaming experiments with a customer.
In addition to the supply chain attack, security researchers discovered two other issues in the CocoaPods trunk server itself Executing deleted code A vulnerable Ruby package and about it Stealing session cookies Regarding the bug discovered in the source code. Affected developers should first check which packages they are using and then manually validate the third-party libraries used. If one of the 1870 pods is found without an owner, the library should be removed immediately. The intention is to minimize the lag in the trunk server as well as the easy possibility of taking over the pods From the Cocoapods project It was discontinued in October 2023 itself.
(B.Sc.)
