Joseph Cox from 404Media reports that researchers on security have found suspicious activity in the Podcasts App, where it may be used for delivering malicious content to its users. Joseph describes out-of-the-ordinary experiences with the Apple Podcasts, which hinted that something malicious was going on across app versions on macOS and iOS.
For instance, a podcast had a link that redirects users to a site that attempts an XSS attack, which is a technique where malicious code is injected by attackers into websites that look legitimate. When you visit them, a pop-up is displayed, which acknowledges an XSS attempt.
Apple has not acknowledged or responded to multiple requests made by Cox about the issue. Patrick Wardle, security expert from Objective-See, says this alone is not an immediate danger because it creates a delivery mechanism that is effective when vulnerabilities exist in the Apple Podcast app, but the probing level does show adversaries are evaluating it as a potential target.
The issue has some similarities to the spam in Google Calendar a couple of years ago, where unsolicited events with promotional content links were added to the calendar by attackers.
