3 million iOS and macOS apps exposed to powerful supply-chain attacks

3 million iOS and macOS apps exposed to powerful supply-chain attacks

Aurich Lawson

Vulnerabilities that remained undetected for a decade left thousands of macOS and iOS apps susceptible to supply-chain attacks. Hackers may have compromised the security of millions or billions of people who installed them by adding malicious code, researchers said Monday.

The vulnerabilities, patched last October, existed in the “trunk” server used to manage CocoaPods, a repository for open source Swift and Objective-C projects that about 3 million macOS and iOS apps depend on. When developers make changes to one of their “pods” — CocoaPods are used to package individual code — dependent apps typically incorporate them automatically through app updates, usually with no interaction required by end users.

Code Injection Vulnerabilities

“Many applications can access a user's most sensitive information: credit card details, medical records, private content, and more,” wrote researchers at EVA Information Security, the firm that discovered the vulnerability. “Injecting code into these applications allows attackers to access this information for almost any malicious purpose – ransomware, fraud, blackmail, corporate espionage… In the process, it can expose companies to major legal liabilities and reputation risks.”

The three vulnerabilities discovered by EVA stem from an insecure verification email mechanism used to authenticate developers of individual pods. The developer entered the email address associated with his pod. The trunk server responded by sending a link to the address. When someone clicked on the link, they gained access to the account.

In one case, the attacker could manipulate the URL in the link so that it pointed to a server under the attacker's control. The server accepted a forged XFH, which is an HTTP header to identify the target host specified in the HTTP request. EVA researchers found that they could use the forged XFH to create URLs of their choice.

Typically, the email will include a legitimate link posting to the CocoaPods.org server, such as:

What a valid verification email looks like.
in great shape , What a valid verification email looks like.

EVA Information Security

Researchers can instead change the URL to point to their own server:

After email verification, it has been tampered with.
in great shape , After email verification, it has been tampered with.

EVA Information Security

This vulnerability, tracked as CVE-2024-38367, was present in the session_controller class of the trunk server source code, which handles session verification URLs. This class uses the session_controller.rb mechanism, which prefers XFH over the original host header. The researchers' exploit code was:

POST /api/v1/sessions HTTP/1.1
Host: trunk.cococapods.org
Content-Type: application/json; charset=utf-8
Accept: application/json; charset=utf-8
User-Agent: CocoaPods/1.12.1
Accept-Encoding: gzip, deflate
X-Forwarded-Host: research.evasec.io
Content-Length: 78

  "email":"[email protected]",

A separate vulnerability, tracked as CVE-2024-38368, allowed attackers to take control of pods that had been abandoned by their developers but continue to be used by apps. A programming interface allowing developers to reclaim their pods remained active nearly 10 years after it was first implemented. The researchers found that anyone who finds the interface of an orphaned pod can activate it to regain control of it, with no ownership proof required.

A simple curl request that included the pod name was all that was needed:

# Curl request for changing ownership of a targeted orphaned pod
curl -X 'POST' \
  -H 'Host: trunk.cocoapods.org' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-binary 'owner[name]=EVA&[email protected]'
  --data-binary 'pods[]=[TARGET_UNCLAIMED_POD]&button=SEND'

The third vulnerability, CVE-2024-38366, allows attackers to execute code on the Trunk server. The Trunk server relies on RFC822, formally implemented in 1982, to verify the uniqueness of registered developer email addresses and check whether they follow the correct format. Part of the process involves checking the MX records for the email address domains implemented by this RFC822 implementation.

Leave a Comment

“The Untold Story: Yung Miami’s Response to Jimmy Butler’s Advances During an NBA Playoff Game” “Unveiling the Secrets: 15 Astonishing Facts About the PGA Championship”