Is Apple Podcasts being used as an attack vector?
Joseph Cox of 404 Media reports on an unusual phenomenon when he and other Apple users have seen “both the iOS and Mac versions of the Podcasts app… open religion, spirituality, and education podcasts with no apparent rhyme or reason.” It appears to be someone using Apple’s auto-opening technology to kick off a hacking attack:
That said, someone has tried to deliver something a bit more malicious through the Podcasts app. It’s the first podcast I mentioned, with the title “5../XEWE2′””"″onclic…”. Maybe some readers have already picked up on this, but the podcast is trying to direct listeners to a site that attempts to perform a cross-site scripting, or XSS, attack. XSS is basically when a hacker injects their own malicious code into a website that otherwise looks legit. It’s definitely a low-hanging fruit kind of attack, at least today. I remember it being way, way more common 10 years ago, and it was ultimately what led to the infamous MySpace worm.
Apple did not comment for Cox’s story. My guess is that this is someone testing around the edges to see if there’s a vulnerability here, but even if everything’s secure, nobody should have strange podcasts opening up in the Podcasts app.