I was just made aware of this recently, having never really considered it. It’s kinda cool though.

A podcast can be used to deliver malicious content to your computer. Malicious in this context, I think, is more along the lines of scareware, ads, data loss, etc. Not so much apps that are dropped on your computer; but I could be wrong.

The format of a podcast starts off by looks something like this

Depending on how you intend to deliver the podcast, you’re also likely to include tags that are specific to iTunes. Some of those are shown below.

That’s about it, with the exception of the content. Content of a podcast is a varying number of “item” blocks. They look like this.

Again, depending on your target audience, you may have different tags in there.

Now, what I learned recently what that this file is just a plain-old Atom feed delivered to your desktop. The app on the other end will probably end up rendering it like it is regular old web content. They may apply styles to it to make it look pretty, but what you see above is the data that is displayed. So what if you included more data than is being expected? It turns out that you can do this.

For example, what if you were to append some javascript to the end of the atom file.

Depending on the application doing the rendering, you may be able to sneak some code into the application; tricking the user into handing over personal data. You may also be able to hold the hosting application hostage, forcing the user to click on redirects to your malicious site, enter data, or view content they normally would not.

Sneaky sneaky.