San Francisco, California – Vulnerabilities that went unnoticed for ten years exposed thousands of macOS and iOS apps to potential supply-chain attacks. These security flaws were only detected last October, posing significant risks to the millions or even billions of people who had these apps installed. The vulnerabilities were found in a server used to manage CocoaPods, a repository for open source Swift and Objective-C projects that are relied upon by around 3 million macOS and iOS apps.
Researchers from EVA Information Security discovered these vulnerabilities, which could lead to code injection and compromise sensitive information such as credit card details and medical records. The vulnerabilities stemmed from an insecure email verification mechanism used to authenticate developers of individual pods. By manipulating the URL in the verification email, attackers could redirect users to a server under their control, allowing them to potentially access confidential data for malicious purposes.
One identified vulnerability, CVE-2024-38367, allowed attackers to take control of abandoned pods that were still being used by apps. This exploit enabled anyone to activate an orphaned pod and gain control over it without needing any proof of ownership. Another vulnerability, CVE-2024-38368, allowed attackers to change the ownership of targeted orphaned pods with a simple curl request, posing a serious security risk.
Furthermore, a third vulnerability, CVE-2024-38366, permitted attackers to execute code on the trunk server by exploiting the server’s reliance on RFC822 for verifying developer email addresses. This vulnerability highlighted the need for robust security measures to prevent unauthorized access and code execution on essential servers.
Overall, the discovery of these vulnerabilities emphasizes the importance of regular security audits and updates to protect against potential supply-chain attacks on widely used apps. It serves as a reminder of the ever-present risks of cyber threats and the critical need for developers to prioritize security in their coding practices to safeguard user data.