If you’ve had Apple Podcasts open randomly to a show you don’t subscribe to, you’re not alone. Here’s what’s going on.
No immediate danger, but still worth addressing
A new report from 404 Media describes an odd situation in which the Apple Podcasts app appears to open unprompted, usually to a “religion, spirituality, and education” podcast.
Making things even weirder, at least one podcast has presented a potentially malicious link, which could enable an old attack method known as cross-site scripting, or XSS.
404 Media notes that while the issue is annoying, it doesn’t pose an immediate risk to users. It does, however, leave the door open to a potentially more serious problem if someone discovers a vulnerability in the app that could be exploited in conjunction with this behavior.
From the report:
“That said, someone has tried to deliver something a bit more malicious through the Podcasts app. It’s the first podcast I mentioned, with the title “5../XEWE2′””"″onclic…”. Maybe some readers have already picked up on this, but the podcast is trying to direct listeners to a site that attempts to perform a cross-site scripting, or XSS, attack. XSS is basically when a hacker injects their own malicious code into a website that otherwise looks legit. It’s definitely a low-hanging fruit kind of attack, at least today. I remember it being way, way more common 10 years ago, and it was ultimately what led to the infamous MySpace worm.”
404 Media also notes that some shows that auto-open on Apple Podcasts date back to at least 2019, with occasional episodes that are either entirely silent or in languages other than English.
As 9to5Mac readers will likely recall, this isn’t the first time an Apple service or platform has faced issues like this. Just a few months ago, there was a resurgence of crypto spam on Apple Calendar, and iMessage has also faced spam issues in the past.
Over the years, Apple has implemented multiple user settings and system-level filters to help curb this kind of spam, but bad actors seem to be becoming increasingly creative in finding ways to circumvent Apple’s protections.
... continue reading