Someone Is Trying To 'Hack' People Through Apple Podcasts (404media.co) 9
Apple's Podcasts app on both iOS and Mac has been exhibiting strange behavior for months, spontaneously launching and presenting users with obscure religion, spirituality and education podcasts they never subscribed to -- and at least one of these podcasts contains a link attempting a cross-site scripting attack, 404 Media reports. Joseph Cox, a journalist at the outlet, documented the issue after repeatedly finding his Mac had launched the Podcasts app on its own, presenting bizarre podcasts with titles containing garbled code, external URLs to Spotify and Google Play, and in one case, what appears to be XSS attack code embedded directly in the podcast title itself.
Patrick Wardle, a macOS security expert and creator of Objective-See, confirmed he could replicate similar behavior: simply visiting a website can trigger the Podcasts app to open and load an attacker-chosen podcast without any user prompt or approval. Wardle said this creates "a very effective delivery mechanism" if a vulnerability exists in the Podcasts app, and the level of probing suggests adversaries are actively evaluating it as a potential target. The XSS-attempting podcast dates from around 2019. A recent review in the app asked "How does Apple allow this attempted XSS attack?"
Asked for comment five times by 404 Media, Apple did not respond.
Patrick Wardle, a macOS security expert and creator of Objective-See, confirmed he could replicate similar behavior: simply visiting a website can trigger the Podcasts app to open and load an attacker-chosen podcast without any user prompt or approval. Wardle said this creates "a very effective delivery mechanism" if a vulnerability exists in the Podcasts app, and the level of probing suggests adversaries are actively evaluating it as a potential target. The XSS-attempting podcast dates from around 2019. A recent review in the app asked "How does Apple allow this attempted XSS attack?"
Asked for comment five times by 404 Media, Apple did not respond.
Re: (Score:2)
Me: A program you wrote suddenly started exhibiting bad behavior. Comment?
You: Hummina, Hummina, Hummina.....let me investigate first.
Me: You are obviously complicit in some nefarious endeavor, and you are obviously guilty.
Re: "Apple did not respond." (Score:2, Insightful)
If it's been going on since 2019, i'd assume an investigation has happened in the last 6 years. So a comment on why it's still allowed seems reasonable.
Also known as ... (Score:4, Insightful)
Re: (Score:2)
I love the 3.4 / 5 rating for that.
It's a backdoor (Score:1, Informative)
Browsers should not launch apps (Score:3)
...simply visiting a website can trigger the Podcasts app to open and load...
This is why browsers should not launch apps without first prompting. Steam, Discord, Roblox, GlobalProtect VPN, and BeyondTrust, Office 365/Teams, and gzillions more work this way. You should never click the "[ ] Don't prompt me any more for this application" button. This allows any arbitrary web site to get out of the browser sandbox and chain to security flaws (or even direct features like "subscribe to podcast") that are in the application.