PSA: Apple's Podcasts App May Be Enabling Malicious Content Delivery

Security researchers person identified suspicious enactment successful Apple's Podcasts app that could beryllium utilized to present malicious contented to users, based connected a study by 404Media's Joseph Cox.


Cox's study describes immoderate unusual experiences with the Podcasts app that surely suggest thing untoward is going connected crossed some iOS and macOS versions. He says that implicit caller months, the app has automatically launched and displayed antithetic podcasts without his input. On Mac and iPhone, the app has opened religion, spirituality, and acquisition podcasts for nary evident reason, successful immoderate cases adjacent launching themselves the infinitesimal Cox unlocked his device.

The podcasts successful question often diagnostic unusual titles containing codification fragments, URLs, and successful immoderate cases, attempts astatine cross-site scripting attacks.

Objective-See information adept Patrick Wardle told Cox helium was capable to replicate akin behavior, but successful his lawsuit via a website. "Simply visiting a website is capable to trigger Podcasts to unfastened (and load a podcast of the attacker's choosing), and dissimilar different outer app launches connected macOS, nary punctual oregon idiosyncratic support is required," Wardle told 404 Media.

One peculiarly concerning podcast seemingly includes a nexus that redirects to a tract attempting an XSS onslaught – a method successful which attackers inject malicious codification into different legitimate-looking websites. When visited, the tract displays a pop-up acknowledging the XSS attempt.

Wardle notes that portion this behaviour isn't instantly unsafe connected its own, it creates an effectual transportation mechanics if vulnerabilities bash beryllium wrong the Podcasts app. "The level of probing shows that adversaries are actively evaluating the Podcasts app arsenic a imaginable target," helium said.

The concern bears similarities to reports of Google Calendar spam from respective years ago, wherever atrocious actors would adhd unsolicited events containing links oregon promotional contented to users' calendars.

Apple did not respond to Cox's aggregate requests for remark astir the issue. Has the Podcasts app exhibited akin antithetic behaviour successful your experience? Let america cognize successful the comments.
This article, "PSA: Apple's Podcasts App May Be Enabling Malicious Content Delivery" archetypal appeared connected MacRumors.com

Discuss this article successful our forums