Security researchers have identified suspicious activity in Apple’s Podcasts app that could be used to deliver malicious content to users, based on a report by 404Media‘s Joseph Cox.
Cox’s report describes some odd experiences with the Podcasts app that certainly suggest something untoward is going on across both iOS and macOS versions. He says that over recent months, the app has automatically launched and displayed unusual podcasts without his input. On Mac and iPhone, the app has opened religion, spirituality, and education podcasts for no apparent reason, in some cases even launching themselves the moment Cox unlocked his device.
The podcasts in question often feature strange titles containing code fragments, URLs, and in some cases, attempts at cross-site scripting attacks.
Objective-See security expert Patrick Wardle told Cox he was able to replicate similar behavior, but in his case via a website. “Simply visiting a website is enough to trigger Podcasts to open (and load a podcast of the attacker’s choosing), and unlike other external app launches on macOS, no prompt or user approval is required,” Wardle told 404 Media.
One particularly concerning podcast apparently includes a link that redirects to a site attempting an XSS attack – a technique in which attackers inject malicious code into otherwise legitimate-looking websites. When visited, the site displays a pop-up acknowledging the XSS attempt.
Wardle notes that while this behavior isn’t immediately dangerous on its own, it creates an effective delivery mechanism if vulnerabilities do exist within the Podcasts app. “The level of probing shows that adversaries are actively evaluating the Podcasts app as a potential target,” he said.
The situation bears similarities to reports of Google Calendar spam from several years ago, where bad actors would add unsolicited events containing links or promotional content to users’ calendars.
Apple did not respond to Cox’s multiple requests for comment about the issue. Has the Podcasts app exhibited similar unusual behaviour in your experience? Let us know in the comments.
