Suspicious behavior prompts concerns about ‘hackers’ on Apple Podcasts app

Macworld

Apple has worked hard to build a reputation for security and privacy: using iOS or macOS, the company has led us to believe, makes it much harder for hackers and other bad actors to steal our data or gain access to our accounts. But that doesn’t mean Apple platforms are immune to malicious attacks, and it looks like the company’s Podcasts app could be experiencing one at the moment.

One reporter, Joseph Cox of 404 Media, has observed a suspicious pattern of behavior on Podcasts that’s been going on, he says, for months. The app, on both iOS and macOS, spontaneously opens podcasts with odd names and odd contents.

“[The] app will open religion, spirituality, and education podcasts with no apparent rhyme or reason,” he writes. “Sometimes, I unlock my machine and the podcast app has launched itself and presented one of the bizarre podcasts to me.”

The podcasts are often years old, and in many cases their titles are nonsensical and stuffed with suspicious URLs. Some of them have no audio content at all. Worse, the page for at least one of these podcasts contains a link to a potentially malicious website.

Cox isn’t the only person to raise concerns. One very recent review of a six-year-old podcast, he notes, says “Scam. How does Apple allow this attempted XSS attack?” This category of attack matches the suspicious link and redirect Cox spotted in one of the spontaneously launched podcasts. The reporter also spoke to the security expert Patrick Wardle, who was able to verify the phenomenon.

“I have replicated similar behavior,” Wardle writes, “albeit via a website: simply visiting a website is enough to trigger Podcasts to open (and [to] load a podcast of the attacker’s choosing), and unlike other external app launches on macOS (e.g. Zoom), no prompt or user approval is required.”

As Cox emphasises, the behavior is more weird than truly troubling; Wardle describes it as hackers “actively evaluating the Podcasts app as a potential target,” implying that we are yet to experience real danger, but could do so in the future. Cox says he’s alerted Apple multiple times, but the company has yet to respond. We hope it’s quietly preparing a fix or defence against attacks via this new vector.