Overview
- 404 Media documented months of the app launching itself on iOS and macOS to unfamiliar religion, spirituality, and education shows.
- macOS security researcher Patrick Wardle replicated the auto-launch via a website, saying no user approval is required to open a chosen podcast.
- One podcast’s Show Website link redirects to test.ddv.in.ua that displays an “XSS” popup, demonstrating an attempted cross-site scripting payload.
- Reports note some auto-opened podcasts date to 2019, include silent episodes or non‑English content, and recent user reviews flag an attempted XSS.
- Researchers stress there is no confirmed widespread exploit yet, warn the behavior could deliver one if a flaw exists, and Apple has not responded to requests for comment.