{"id":14571,"date":"2025-11-29T08:57:09","date_gmt":"2025-11-29T15:57:09","guid":{"rendered":"https:\/\/jasonsblog.ddns.net\/?p=14571"},"modified":"2025-11-29T08:58:12","modified_gmt":"2025-11-29T15:58:12","slug":"someone-is-trying-to-hack-people-through-apple-podcasts","status":"publish","type":"post","link":"https:\/\/jasonsblog.ddns.net\/index.php\/2025\/11\/29\/someone-is-trying-to-hack-people-through-apple-podcasts\/","title":{"rendered":"Someone Is Trying to \u2018Hack\u2019 People Through Apple Podcasts"},"content":{"rendered":"\n

Something to be aware of if you’re an Apple Podcast user. I’m not sure if you can disable the app and use something else, but that might be a good option if you can. Maybe check out apps that support Podcasting 2.0 and its advanced features, https:\/\/podcasting2.org\/apps<\/a>. I like Pocket Casts on Android myself, but they also have an iOS version.<\/p>\n\n\n\n

https:\/\/www.404media.co\/someone-is-trying-to-hack-people-through-apple-podcasts\/<\/a><\/p>\n\n\n

<\/div><\/div><\/div>\n\n\n

By Joseph Cox<\/p>\n\n\n\n

\"Someone
Photo by Jimmy Jin<\/a> on Unsplash<\/a>.<\/figcaption><\/figure>\n\n\n\n

Something very strange is happening to the Apple Podcasts app. Over the last several months, I\u2019ve found both the iOS and Mac versions of the Podcasts app will open religion, spirituality, and education podcasts with no apparent rhyme or reason. Sometimes, I unlock my machine and the podcast app has launched itself and presented one of the bizarre podcasts to me. On top of that, at least one of the podcast pages in the app includes a link to a potentially malicious website. Here are the titles of some of the very odd podcasts I\u2019ve had thrust upon me recently (I\u2019ve trimmed some and defanged some links so you don\u2019t accidentally click one):<\/p>\n\n\n\n

\u201c5..\/XEWE2′””&#x22″onclic\u2026\u201d<\/p>\n\n\n\n

\u201cfree will, free willhttp:\/\/www[.]sermonaudio[.]com\/rss_search.asp?keyword=free%will on SermonAudio\u201d<\/p>\n\n\n\n

\u201cLeonel Pimentahttps:\/\/play[.]google[.]com\/store\/apps\/detai\u2026\u201d<\/p>\n\n\n\n

\u201chttps:\/\/open[.]spotify[.]com\/playlist\/53TA8e97shGyQ6iMk6TDjc?…\u201d<\/p>\n\n\n\n

There was another with a title in Arabic that loosely translates to \u201cWords of Life\u201d and includes someone\u2019s Gmail address. Sometimes the podcasts do have actual audio (one was a religious sermon); others are completely silent. The podcasts are often years old, but for some reason are being shown to me now.<\/p>\n\n\n\n

I\u2019ll be honest: I don\u2019t really know what exactly is going on here. And neither did an expert I spoke to. But it\u2019s clear someone, somewhere, is trying to mess with Apple Podcasts and its users.<\/p>\n\n\n\n

\u201cThe most concerning behavior is that the app can be launched automatically with a podcast of an attacker\u2019s choosing,\u201d Patrick Wardle, a macOS security expert and the creator of Mac-focused cybersecurity organization Objective-See<\/u><\/a>, said. \u201cI have replicated similar behavior, albeit via a website: simply visiting a website is enough to trigger Podcasts to open (and a load a podcast of the attacker\u2019s choosing), and unlike other external app launches on macOS (e.g. Zoom), no prompt or user approval is required.\u201d<\/p>\n\n\n\n

To caveat straight away: this isn\u2019t that<\/em> alarming. This is not the biggest hack or issue in the world. But it\u2019s still very weird behavior and Apple has not responded to any of my requests for comment for months. \u201cOf course, very much worth stressing, on its own this is not an attack,\u201d Wardle continued. \u201cBut it does create a very effective delivery mechanism if (and yes, big if) a vulnerability exists in the Podcasts app.<\/p>\n\n\n\n

That said, someone has tried to deliver something a bit more malicious through the Podcasts app. It\u2019s the first podcast I mentioned, with the title \u201c5..\/XEWE2′””&#x22″onclic\u2026\u201d. Maybe some readers have already picked up on this, but the podcast is trying to direct listeners to a site that attempts to perform a cross-site scripting, or XSS, attack. XSS is basically when a hacker injects their own malicious code into a website that otherwise looks legit<\/u><\/a>. It\u2019s definitely a low-hanging fruit kind of attack, at least today. I remember it being way, way more common 10 years ago, and it was ultimately what led to the infamous MySpace worm<\/u><\/a>. <\/p>\n\n\n\n

The weird link is included in the \u201cShow Website\u201d section of the podcast\u2019s page. Visiting that redirects to another site, \u201ctest[.]ddv[.]in[.]ua.\u201d A pop-up then says \u201cXSS. Domain: test[.]ddv[.]in[.]ua.\u201d<\/p>\n\n\n\n

I\u2019m seemingly not the only one who has seen this. A review left in the Podcasts app just a few weeks ago says \u201cScam. How does Apple allow this attempted XSS attack?\u201d The person gave the podcast one star. That podcast itself dates from around 2019.<\/p>\n\n\n\n

\u201cWhether any of those attempts have worked remains unclear, but the level of probing shows that adversaries are actively evaluating the Podcasts app as a potential target,\u201d Wardle said.<\/p>\n\n\n\n

Overall, the whole thing gives a similar vibe to Google Calendar spam, where someone will sneakily add an event to your calendar and include whatever info or link they\u2019re trying to spread around. I remember that being a pretty big issue a few years ago<\/u><\/a>. <\/p>\n\n\n\n

Apple did not acknowledge or respond to five emails requesting comment. The company did respond to other emails for different articles I was working on across that time.<\/p>\n","protected":false},"excerpt":{"rendered":"

Something to be aware of if you’re an Apple Podcast user. I’m not sure if you can disable the app and use something else, but that might be a good option if you can. Maybe check out apps that support Podcasting 2.0 and its advanced features, https:\/\/podcasting2.org\/apps. I like Pocket Casts on Android myself, but […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-14571","post","type-post","status-publish","format-standard","hentry","category-tech"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/14571","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=14571"}],"version-history":[{"count":2,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/14571\/revisions"}],"predecessor-version":[{"id":14573,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/14571\/revisions\/14573"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=14571"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=14571"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=14571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}