Almost all Apple devices were exposed to supply chain attacks

Three major vulnerabilities in CocoaPods, a software that simplifies app updates for iOS and macOS devices, went unnoticed for nearly a decade. If exploited by an attacker, the bugs could have allowed for malware injection.

The trio of flaws likely existed since May 2014, after a CocoaPods migration process left thousands of packages “orphaned,” researchers at cybersecurity firm EVA Information Security discovered.

“CocoaPods is the most popular choice among iOS developers. Many of the potentially impacted artifacts are dependencies for projects maintained by major companies such as Google, GitHub, Amazon, Dropbox, and more - which puts the projects and downstream dependencies at risk,” EVA researchers said.

The most feared vulnerability, tracked as CVE-2024-38368, allowed any CocoaPods user to claim the “orphaned” packages. That means malicious actors could have claimed the packages and used them to distribute malware.

Since developers use CocoaPods to add pre-written code to iOS and macOS apps, threat actors could use the bug to inject malware into the app’s architecture, bypassing security measures.

It’d be something akin to a malintent individual modifying a recipe in a cooking book, and readers would proceed to make dishes with the wrong ingredients. Now, that was possible because the CocoaPods library had a policy allowing anyone to claim ownership of abandoned cooking books.

Researchers discovered that Facebook, Whatsapp, Apple, Microsoft Teams, TikTok, Snapchat, Amazon, LinkedIn, Netflix, and others were cooking recipes from unclaimed books.

“Overall, we found that 685 Pods had an explicit dependency using an orphaned Pod; doubtless, there are hundreds or thousands more in proprietary codebases. All of these were, at some period or another, vulnerable to the supply chain attack described below,” researchers said.

The most severe of the EVA-discovered flaws, CVE-2024-38366, could be used to facilitate arbitrary code execution on the Trunk server, allowing package manipulation and replacement. Meanwhile, the third vulnerability, CVE-2024-38367, could be exploited to lure targets into clicking malicious verification links.

The good news is that EVA researchers informed CocoaPods about the flaws before disclosing their findings, and the issues were patched in October 2023. So far, there are no indications that threat actors have exploited any of the flaws.