Overview
- Multiple reports describe Apple Podcasts opening by itself on iOS and macOS to unfamiliar shows, often in religion or education categories.
- Some of the surfaced podcasts are years old or silent, and at least one show page contains a link that redirects to test.ddv.in.ua and displays an "XSS" pop-up.
- macOS researcher Patrick Wardle reports that simply loading a web page can trigger Podcasts to launch and load a show of an attacker’s choosing without any approval prompt.
- Wardle says this behavior is not an exploit by itself but could serve as an effective delivery mechanism if a separate vulnerability exists in the app.
- Apple has not responded to repeated requests for comment, while user reviews and reporter observations indicate the behavior extends beyond a single device.