CocoaPods, a dependency manager used in over three million applications coded in Swift and Objective-C, has left thousands of packages exposed and ready for takeover for nearly a decade. The issue was discovered by Israeli firm EVA Information Security and affects 1,870 Pods that remained unclaimed by their owners.
The problem allowed an attacker to claim a Pod and insert malicious code without needing to provide any verification of ownership. All an attacker needed to do was transmit a particular CURL request, and they would have free rein to modify the Pod.
Two additional vulnerabilities were found: one allowing for remote code execution on the Trunk server, and another allowing for session token theft. The Trunk server’s own source code also had a vulnerability that could be exploited to steal session validation tokens without user interaction.
The researchers noted that they actually used the method to take over the owner accounts of some of the most popular CocoaPods packages, which “we could have used … for highly damaging supply chain attacks that could impact the entire Apple ecosystem.”
CocoaPods has since patched the issues, and maintainers contacted by The Register did not respond to questions before publication.