If you’ve had Apple Podcasts open randomly to a show you don’t subscribe to, you’re not alone. Here’s what’s going on.
No immediate danger, but still worth addressing
A new report from 404 Media describes an odd situation in which the Apple Podcasts app appears to open unprompted, usually to a “religion, spirituality, and education” podcast.
Making things even weirder, at least one podcast has presented a potentially malicious link, which could enable an old attack method known as cross-site scripting, or XSS.
404 Media notes that while the issue is annoying, it doesn’t pose an immediate risk to users. It does, however, leave the door open to a potentially more serious problem if someone discovers a vulnerability in the app that could be exploited in conjunction with this behavior.
From the report:
“That said, someone has tried to deliver something a bit more malicious through the Podcasts app. It’s the first podcast I mentioned, with the title “5../XEWE2′””"″onclic…”. Maybe some readers have already picked up on this, but the podcast is trying to direct listeners to a site that attempts to perform a cross-site scripting, or XSS, attack. XSS is basically when a hacker injects their own malicious code into a website that otherwise looks legit. It’s definitely a low-hanging fruit kind of attack, at least today. I remember it being way, way more common 10 years ago, and it was ultimately what led to the infamous MySpace worm.”
404 Media also notes that some shows that auto-open on Apple Podcasts date back to at least 2019, with occasional episodes that are either entirely silent or in languages other than English.
As 9to5Mac readers will likely recall, this isn’t the first time an Apple service or platform has faced issues like this. Just a few months ago, there was a resurgence of crypto spam on Apple Calendar, and iMessage has also faced spam issues in the past.
Over the years, Apple has implemented multiple user settings and system-level filters to help curb this kind of spam, but bad actors seem to be becoming increasingly creative in finding ways to circumvent Apple’s protections.
In the case of Apple Podcasts, the problem appears to stem from the ability to auto-launch the app from a link, without requiring the user to actually click on anything.
From the report:
“‘The most concerning behavior is that the app can be launched automatically with a podcast of an attacker’s choosing,’ Patrick Wardle, a macOS security expert and the creator of Mac-focused cybersecurity organization Objective-See, said. ‘I have replicated similar behavior, albeit via a website: simply visiting a website is enough to trigger Podcasts to open (and a load a podcast of the attacker’s choosing), and unlike other external app launches on macOS (e.g. Zoom), no prompt or user approval is required.’”
404 Media tried to reach out to Apple multiple times about the issue, but says the company didn’t respond.
Has this ever happened to you? Let us know in the comments.
Great Black Friday 2025 deals
- AirTag: $17.97 (was $29)
- AirTag (4 pack): $62.99 (was $99)
- AirPods 4: $69 (was $129)
- AirPods Max: $399.99 (was $549)
- Anker Nano Portable Charger (10,000mAh): $39.99 (was $59.99)
- Apple Watch Ultra 2: $599 (was $799)
- Apple Watch SE 3 (40mm): $199 (was $249)
- iPad 11” (A16): $274 (was $349)
- MacBook Air 13” M4: $749 (was $999)
FTC: We use income earning auto affiliate links. More.
Comments