Autostarting Apple Podcasts Tries to hack Humans by throwing religion, spirituality, and education lectures at them

You know that feeling when you unlock your phone and suddenly Apple Podcasts is open, showing you some random spirituality podcast from 2018 that you definitely didn’t tap on? Well, turns out that’s not just a quirky glitch—it’s actually someone trying to hack you.

Over the past several months, users have been reporting some seriously strange behavior from Apple Podcasts across both iOS and Mac platforms. According to 404 Media, people are finding the app launching automatically and displaying religion, spirituality, and education podcasts with no apparent trigger. Sometimes you’ll unlock your device and boom—there’s the podcast app, presenting some bizarre show that’s often years old but somehow surfacing now. What makes this particularly concerning is that these mystery podcast pages include links to potentially malicious websites designed to execute cross-site scripting attacks.

How the Apple Podcasts exploit actually works

The technical mechanics reveal just how vulnerable Apple’s ecosystem can be to creative attack vectors. The Apple Podcasts app can be launched automatically with content of an attacker’s choosing, and according to 404 Media, simply visiting a website is enough to trigger Podcasts to open and load a podcast selected by the attacker.

[…]

Apple’s ecosystem security under siege

What makes this podcast vulnerability particularly troubling is how it fits into Apple’s broader security landscape, which has been under increasing pressure from sophisticated attacks. Recent security advisories reveal that multiple vulnerabilities across Apple products could enable arbitrary code execution, with successful exploitation potentially allowing attackers to install programs, modify data, or create new accounts with full user privileges, according to the Center for Internet Security. The scope affects devices running older versions of iOS, iPadOS, macOS, watchOS, tvOS, and visionOS, though fortunately no active exploitation has been reported in the wild.

Even more concerning are recently disclosed zero-click iMessage exploits that remained unpatched through multiple iOS versions. A strategic disclosure revealed vulnerabilities affecting iOS 18.2 through 18.4 that enabled Secure Enclave key theft, crypto wallet draining, and device-to-device propagation via MultipeerConnectivity, as reported in security research. Apple eventually addressed these issues quietly in iOS 18.4.1 without public acknowledgment, highlighting ongoing transparency concerns in vulnerability handling. The fact that these zero-click exploits could facilitate extraction of Secure Enclave-protected keys and enable silent crypto wallet draining demonstrates how sophisticated modern attacks have become against Apple’s supposedly secure architecture.

[…]