The Podjacker Threat

Schlemphfer writes "As everyone knows by now, podcasting has taken off in a big way. But over the past week, several tech journals and The Daily Source Code have reported on the threat of 'podjacking,' the creation of an alternate RSS feed without the consent of the podcast's owner. I'm the host of a podcast, which has the dubious distinction of being the first widely-publicized victim of a podjacking. To teach others from my experiences I have posted an article entitled Preventing and Surviving a Podjacking (also available in PDF). So far this story has attracted widespread but generally inept media and blogger coverage. This article sets the record straight on what really happened, and shows the simple steps every podcaster should take to protect their shows from podjacking."

``Podjacking'' summarized

[TrumpetPower!]

1) Register evilpodjackingdomain.com.
2) Find somebody else's podcast.
3) Mirror that podcast's XML file at evilpodjackingdomain.dom/pwn3d.xml
4) Get evilpodjackingdomain.dom/pwn3d.xml listed in as many podcast directories as possible.
5) Wait.
6) Blackmail original podcaster with threats of modifying / removing your local mirror; all subscribers through evilpodjackingdomain.dom/pwn3d.xml would get whatever you want them to get regardless of what the podcaster wants.
7) Profit.

Cheers,

b&

Re:Slashdot overrun by old fogies

[Simon+Brooke]

I don't think many people understand what a podjacking is. Does it mean someone else distributes an identical podcast file as their own, or does it mean they make their own podcast and pretend is comes from another source?

What has happened here (if I understand it correctly, and someone will correct me if I don't) is that the guy puts up his mp3s at http://myrealserver.dm/podcast/content0001.mp3 and then he creates an RSS file which points to his mp3s at http://myrealsystem.dm/podcast/feed.rss. The RSS file is essentially a signpost: it isn't the content in itself, it just points to the content. Then, when he posts new mp3 content, he updates his RSS. What is supposed to happen is that people point their podcast client at http://myrealsystem.dm/podcast/feed.rss, and every time he posts new content and updates the RSS it's automatically downloaded.

But what he's complaining is that the 'podjacker', evilpirate, has done is created a new feed, http://evil.pirate/devious/feed.rss which also points to myrealsite's content. The file at http://evil.pirate/devious/feed.rss is automatically updated using something like wget so that whenever myrealsite adds more content, http://evil.pirate/devious/feed.rss gets updated too.

evilpirate now registers http://evil.pirate/devious/feed.rss with podcast search engines as the authoritative signpost for myrealsite. Users search for content on the search engine, and if they like myrealsite's content, they point their clients at http://evil.pirate/devious/feed.rss.

So now some - or even most - of myrealsite's users are finding new myrealsite content through evilpirate's signpost. This gives evilpirate the power to alter where the signpost points to, so that instead of getting myrealsite's content they now get rivalsite's content.

Re:Slashdot overrun by old fogies

[mzwaterski]

You need to re-read.

1st dude told 2nd dude to stop directing traffic through their URL to 1st dude's site. (Pretty sure it was more of a redirect than a mirror of an RSS file).

2nd dude complied.

1st dude realized that iTunes had used 2nd dude's URL for 1st dude's listing.

1st dude is sad because all iTunes people who signed up with 2nd dude's URL are lost.

1st dude tells 2nd dude to put URL directing traffic to 1st dude's podcast backup. 2nd dude decides to capitalize and ask for money.

1st dude not happy.