While no known exploits have been detected in iOS or macOS apps, the issues have been patched since October. The vulnerabilities, now detailed in a report from EVA Information Security and Ars Technica, could have led to significant problems if exploited by bad actors.
CocoaPods Vulnerabilities: CocoaPods is a repository for Swift and Objective-C packages. Three key vulnerabilities were identified, all related to how developers logged in to manage their pods:
- Manipulation of Verification Links (CVE-2024-38367): Bad actors could point verification links to servers they control.
- Control of Abandoned Pods (CVE-2024-38368): Invading and controlling abandoned pods.
- Code Execution on Trunk Server (CVE-2024-38366): Executing arbitrary shell commands on the trunk server.
Potential Impact: If exploited, these vulnerabilities could allow bad actors to manipulate pods, causing them to update automatically in every app using them. This could lead to unauthorized access to sensitive user information like passwords or credit card data.
Developer Recommendations: Developers using CocoaPods should:
- Synchronize
podfile.lockfiles to ensure consistency across development teams. - Perform CRC validation for internally developed pods.
- Conduct thorough security reviews of third-party code.
- Verify CocoaPods dependencies are not orphaned.
- Use actively maintained third-party dependencies with clear ownership.
- Conduct periodic security code scans on all external libraries, especially CocoaPods.
- Be cautious of widely used dependencies as they are more attractive targets for potential exploits.
User Actions:
- Ensure you use trusted apps that are regularly updated.
- Monitor your accounts for any unusual activity.
- Keep your devices and apps up to date to benefit from the latest patches and bug fixes.
While the vulnerabilities in CocoaPods were serious, there is no evidence that they were ever exploited. The issues have been patched, and old session keys wiped, minimizing future risks related to these vulnerabilities.
