July 2, 2024 at 09:22AM
Critical vulnerabilities in the CocoaPods dependency manager allowed threat actors to take over orphaned packages, execute shell commands, and impact millions of iOS and macOS applications. Orphaned pods were associated with a default owner, and an authentication server bug enabled remote code execution. The vulnerabilities were addressed by CocoaPods in 2023.
Based on the meeting notes, the key takeaways are as follows:
1. Critical vulnerabilities in the CocoaPods dependency manager, including CVE-2024-38368, CVE-2024-38366, and CVE-2024-38367, could have allowed threat actors to take over orphaned packages, execute shell commands, and hijack accounts, potentially impacting millions of iOS and macOS applications.
2. Orphaned pods, authentication server vulnerabilities, and session hijacking flaws posed significant risks to the security of the CocoaPods ecosystem, potentially exposing a significant percentage of the Swift and Objective-C application ecosystem to supply chain and zero-click attacks.
3. CocoaPods addressed these vulnerabilities server-side in September and October 2023, making exploitation no longer possible. The company took measures to mitigate the risks by wiping session keys to prevent unauthorized access to accounts.
It’s important to note that the security firm EVA Information Security discovered and reported these vulnerabilities, leading to prompt action from CocoaPods to address and mitigate the risks.
Overall, the vulnerabilities identified in CocoaPods underscore the critical importance of addressing security flaws in open source software to protect the wider application ecosystem.