Apple Podcast users are reporting instances of the app launching and playing episodes seemingly at random, a phenomenon first noted months ago and affecting both iPhone and Mac devices [[1]]. While the unsolicited playback frequently enough features podcasts with religious or spiritual content, security researchers are now raising concerns that the issue could be a delivery mechanism for malicious code, potentially exploiting cross-site scripting vulnerabilities [[2]], [[3]]. Notably, Apple has yet to publicly address the reports despite repeated inquiries from journalists and security experts.
Apple Podcast users have been reporting a strange issue for months: the app launching on its own and playing unexpected podcast episodes. The problem appears to affect both iPhone and Mac devices.
Journalist Documents Unsolicited Podcast Playback
The issue came to light after journalist Joseph Cox experienced the phenomenon repeatedly and began documenting it. According to Cox, the Podcast app opens without being initiated, often featuring podcasts with religious or spiritual themes. Some episodes are silent, while others contain spoken-word content.
Read also: You can do it in a few minutes for free: All Gmail users should read this
The episode titles themselves are often unusual, frequently containing strings of code or web addresses. Examples include titles with seemingly random characters and symbols, or those that link to websites with lengthy URLs.
Potential Security Concerns Raised
In some instances, the podcasts attempt to redirect listeners to websites that could potentially execute a cross-site scripting attack – a method of injecting malicious code through a website. This was reported by tek.no. The incident underscores the growing need for vigilance regarding potential vulnerabilities in popular apps.
Security researcher Patrick Wardle of Objective-See stated that the most concerning aspect is the app’s apparent ability to launch automatically and play a specific podcast chosen by an attacker. Wardle was able to replicate a similar scenario where a website triggered the Podcast app to open and play a selected episode.
“This could become a very effective way to exploit vulnerabilities if a weakness exists within the Podcast app,” Wardle warned.
Apple Remains Silent
According to reports, Apple has not yet responded to inquiries regarding the issue, despite repeated requests over several months.
Read also: OpenAI confirms major data leak: Names, emails and user data exposed in new case
