Someone Is Trying to ‘Hack’ People Through Apple Podcasts

Hey there, here's a weird one. For months, the Apple Podcasts app has been opening random spirituality podcasts. Sometimes the app opens by itself too. At least one of these podcasts is trying to direct listeners to a potentially malicious website. Someone, somewhere, is clearly messing with Apple Podcasts and Apple is not responding to requests for comment. Read below.

And if you didn't see yet, we'd really, really appreciate if you could fill out a super short survey about 404 Media. It asks how you found us, what coverage you like, etc. These answers will help us grow sustainability. Please, if you have one minute, answer some quick questions here. And here is more info on why we're asking for this help. Thank you!

Something very strange is happening to the Apple Podcasts app. Over the last several months, I’ve found both the iOS and Mac versions of the Podcasts app will open religion, spirituality, and education podcasts with no apparent rhyme or reason. Sometimes, I unlock my machine and the podcast app has launched itself and presented one of the bizarre podcasts to me. On top of that, at least one of the podcast pages in the app includes a link to a potentially malicious website. Here are the titles of some of the very odd podcasts I’ve had thrust upon me recently (I’ve trimmed some and defanged some links so you don’t accidentally click one):

“5../XEWE2'""&#x22"onclic…”

“free will, free willhttp://www[.]sermonaudio[.]com/rss_search.asp?keyword=free%will on SermonAudio”

“Leonel Pimentahttps://play[.]google[.]com/store/apps/detai…”

“https://open[.]spotify[.]com/playlist/53TA8e97shGyQ6iMk6TDjc?...”

SPONSORED

Your identity is at risk more than ever. Data breaches and AI tools make it easier for scammers to steal your info, create fake documents, or even put words in your mouth in videos. Identity theft often happens silently. By the time you notice, your finances or reputation could already be affected. You might have heard stories like: - Calls about loans someone never applied for - Difficulty getting a car or applying for credit - Falling victim to online scams or phishing schemes How NordProtect can help: - 24/7 dark web monitoring – spots leaked personal info before scammers can use it - Credit monitoring & alerts – notifies you of suspicious activity - Breach & stolen account notifications – act fast to prevent damage - Identity recovery support & cyber extortion guidance - Reimbursements for online scams Special offer: Protect yourself online NOW!  Get up to 71% off with NordProtect's Black Friday deal. Discount at nordprotect.com/404media. It’s risk-free with a 30-day money-back guarantee. Get up to 71% off here

There was another with a title in Arabic that loosely translates to “Words of Life” and includes someone’s Gmail address. Sometimes the podcasts do have actual audio (one was a religious sermon); others are completely silent. The podcasts are often years old, but for some reason are being shown to me now.

I’ll be honest: I don’t really know what exactly is going on here. And neither did an expert I spoke to. But it’s clear someone, somewhere, is trying to mess with Apple Podcasts and its users.

“The most concerning behavior is that the app can be launched automatically with a podcast of an attacker’s choosing,” Patrick Wardle, a macOS security expert and the creator of Mac-focused cybersecurity organization Objective-See, said. “I have replicated similar behavior, albeit via a website: simply visiting a website is enough to trigger Podcasts to open (and a load a podcast of the attacker’s choosing), and unlike other external app launches on macOS (e.g. Zoom), no prompt or user approval is required.”

To caveat straight away: this isn’t that alarming. This is not the biggest hack or issue in the world. But it’s still very weird behavior and Apple has not responded to any of my requests for comment for months. “Of course, very much worth stressing, on its own this is not an attack,” Wardle continued. “But it does create a very effective delivery mechanism if (and yes, big if) a vulnerability exists in the Podcasts app.

That said, someone has tried to deliver something a bit more malicious through the Podcasts app. It’s the first podcast I mentioned, with the title “5../XEWE2'""&#x22"onclic…”. Maybe some readers have already picked up on this, but the podcast is trying to direct listeners to a site that attempts to perform a cross-site scripting, or XSS, attack. XSS is basically when a hacker injects their own malicious code into a website that otherwise looks legit. It’s definitely a low-hanging fruit kind of attack, at least today. I remember it being way, way more common 10 years ago, and it was ultimately what led to the infamous MySpace worm.

The weird link is included in the “Show Website” section of the podcast’s page. Visiting that redirects to another site, “test[.]ddv[.]in[.]ua.” A pop-up then says “XSS. Domain: test[.]ddv[.]in[.]ua.”

I’m seemingly not the only one who has seen this. A review left in the Podcasts app just a few weeks ago says “Scam. How does Apple allow this attempted XSS attack?” The person gave the podcast one star. That podcast itself dates from around 2019.

“Whether any of those attempts have worked remains unclear, but the level of probing shows that adversaries are actively evaluating the Podcasts app as a potential target,” Wardle said.

Overall, the whole thing gives a similar vibe to Google Calendar spam, where someone will sneakily add an event to your calendar and include whatever info or link they’re trying to spread around. I remember that being a pretty big issue a few years ago. 

Apple did not acknowledge or respond to five emails requesting comment. The company did respond to other emails for different articles I was working on across that time.