Apple Podcasts Auto-Launch Flaw Exposes Users to XSS Attacks via Malicious Shows
Apple Podcasts has begun launching itself spontaneously, displaying peculiar religious and “educational” programs and, in some cases, directing users to potentially malicious websites. Researchers have discovered that the app can be triggered invisibly from outside the system and forced to open a podcast chosen by an attacker—one such podcast even leads to a page attempting an XSS attack.
Over the past several months, a security specialist observed that Apple Podcasts on both iOS and macOS would intermittently open on its own, presenting strange spiritual or educational shows. At times, after unlocking their computer, users found the app already running, displaying an obscure podcast with a nonsensical title or even with someone else’s Gmail address in the header. Some episodes do contain recordings of sermons, while others are entirely silent — seemingly created solely to exist in the directory.
This behavior does not appear to be a simple interface glitch but rather a deliberate attempt by someone to “probe” Apple Podcasts and its user base. Wardle managed to replicate the phenomenon via a web page: simply loading the site causes the system, without any warning, to launch Apple Podcasts and display an attacker-selected podcast. Unlike applications such as Zoom, macOS does not prompt the user for confirmation before opening the external program.
While this auto-launch mechanism is not an attack on its own, the expert notes that it creates an exceedingly convenient delivery vector should a vulnerability ever be found in the app. In effect, an attacker gains a reliable method to force tens or hundreds of thousands of machines to load a specific screen in Apple Podcasts without any user interaction.
There is already a clearer indication of potential abuse. One of the mysterious podcasts highlighted in the investigation carries a garbage-like title—something resembling “5../XEWE2′””””…”—and directs users to a website that attempts to execute an XSS (cross-site scripting) attack. Such attacks embed malicious code into what appears to be a trusted page and can then be used, for example, to steal user data. XSS may be considered a “low-hanging fruit” by modern security standards, but it remains widely exploited.
In this case, the malicious URL is hidden in the podcast’s “Show Website” field. When a user clicks through, they are taken to a domain such as test[.]ddv[.]in[.]ua, where a pop-up appears with the message “XSS” and a domain reference — as though someone is deliberately testing and showcasing the vulnerability. Reviews for the podcast already include complaints: one listener plainly calls it an “XSS attack attempt” and questions “how Apple could possibly allow this in the directory.”
It remains unknown whether anyone has successfully chained these behaviors together — from triggering the strange podcast to exploiting a vulnerability. Yet Wardle believes it is clear that someone is systematically stress-testing Apple Podcasts, probing how easily it can be weaponized. To him, the situation resembles the old wave of Google Calendar spam, when attackers flooded users with events containing phishing links.
Against this backdrop, Apple’s silence appears even more puzzling. According to the report, the company ignored five separate requests from 404 Media seeking comment, even though it responded to other inquiries during the same period. Formally, this is not yet a critical vulnerability, but such “small oddities” often mark the earliest warning signs that a popular service has become a convenient staging ground for experimentation — and for attacks yet to come.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
