Cuckoo for CocoaPods

A researcher at EvaSec recently discovered a vulnerability in the CocoaPods ecosystem that could potentially affect an undetermined (but huge) number of web users. CocoaPods is a dependency manager with over 100,000 libraries cataloged  by over one million iOS applications. 

The vulnerability is essentially an account takeover vulnerability which would allow bad actors to take control of ‘Pods’ in specific conditions. They can then add malware that gets pulled into mobile apps when the user updates their software to the latest version. Therefore, this vulnerability has the potential to corrupt millions of applications.

It all started in 2014 when CocoaPods changed the way they registered users, linking them directly to Pods instead of their GitHub profiles, in an attempt to amp up security. However, if users failed to claim their pods, the pods became ‘orphaned.’ 

Attackers could claim an orphaned pod by simply issuing an API call (even via CURL command) with the target pod name. This seems to apply to roughly about 2% of the pods, most of which are not being actively maintained, even if they are active. 

However, the actual number could be higher without us knowing, as this is a ten year old existing vulnerability, it’s entirely possible that some of the pods we think are being controlled by the correct actors are actually compromised. It’s crazy to think that the vulnerability has existed for a whole decade. This is far longer than the sad 88 days to patch a critical vulnerability.

Supply chain vulnerabilities can be hard to protect against by nature, but in this case, the most important thing for users to check is whether some of their applications are using orphaned pods. However, this is simply out of our control of most users. The burden falls on app makers, maintainers and CocoaPods itself.