CocoaPods, a widely-used dependency manager for iOS and macOS applications, has been found to harbor three critical vulnerabilities, exposing almost all Apple devices to potential supply chain attacks. These vulnerabilities, which went unnoticed for nearly a decade, could have allowed attackers to inject malware into apps.

Discovered by cybersecurity experts at EVA Information Security, these flaws have likely existed since May 2014. They originated from a CocoaPods migration process that left thousands of packages “orphaned.” This oversight created an avenue for attackers to claim these abandoned packages and use them maliciously. 

The most severe of these vulnerabilities, identified as CVE-2024-38368, enabled any CocoaPods user to take over orphaned packages. This flaw allowed threat actors to distribute malware by integrating malicious code into popular iOS and macOS apps. Given CocoaPods’ popularity among developers, many major companies like Google, GitHub, Amazon, and Dropbox were at risk.

Researchers emphasized the widespread impact: “CocoaPods is the most popular choice among iOS developers. Many of the potentially impacted artifacts are dependencies for projects maintained by major companies such as Google, GitHub, Amazon, Dropbox, and more – which puts the projects and downstream dependencies at risk,” EVA researchers stated.

One vulnerability, CVE-2024-38366, could enable arbitrary code execution on the Trunk server, leading to potential package manipulation and replacement. Another flaw, CVE-2024-38367, could lure targets into clicking malicious verification links, compromising their systems.

The implications are serious: developers using CocoaPods to streamline their software updates might have unknowingly incorporated malicious code into their applications. This scenario is akin to someone modifying a recipe in a cookbook, causing others to use incorrect ingredients unknowingly.

EVA researchers reported that over 685 Pods had explicit dependencies on orphaned packages, with potentially hundreds or thousands more in proprietary codebases. This wide-reaching vulnerability posed a significant supply chain risk.

Fortunately, EVA Information Security notified CocoaPods about these vulnerabilities before publicly disclosing them. The issues were patched in October 2023, and so far, there have been no reports of these flaws being exploited in the wild.

This incident underscores the importance of rigorous cybersecurity measures and regular audits of software dependencies to prevent such supply chain attacks. For IT security teams, software developers, and decision-makers in tech companies, this serves as a crucial reminder to remain vigilant and proactive in safeguarding their development environments.