404Media‘s Joseph Cox reports security researchers have noticed suspicious activity in Apple’s Podcasts app that could be used to deliver malicious content to listeners’ devices.
Something very strange is happening to the Apple Podcasts app. Over the last several months, I’ve found both the iOS and Mac versions of the Podcasts app will open religion, spirituality, and education podcasts with no apparent rhyme or reason. Sometimes, I unlock my machine and the podcast app has launched itself and presented one of the bizarre podcasts to me. On top of that, at least one of the podcast pages in the app includes a link to a potentially malicious website.
The suspicious podcasts include oddly-formatted titles containing code fragments, URLs, and in some cases, attempts at cross-site scripting attacks.
Objective-See security expert Patrick Wardle told Cox he was able to replicate similar behavior, saying “Simply visiting a website is enough to trigger Podcasts to open (and load a podcast of the attacker’s choosing), and unlike other external app launches on macOS, no prompt or user approval is required.”
At least one of the questionable podcasts included a link that redirected to a site that attempted an XSS attack – a technique in which attackers inject malicious code into seemingly legitimate websites. When a user visits the site, it displays a pop-up acknowledging the XSS attempt.
“The level of probing shows that adversaries are actively evaluating the Podcasts app as a potential target,” he said.
Apple has not yet responded to Cox’s several requests for comment.