Anders Brownworth

Technology and Disruption

Podcast Hijacking (or Podjacking)

A number of people are concerned about podcast hijacking (or ?podjacking?) where a malicious site passes your content off as their own. While podjacking is just like standard RSS hijacking and in theory very possible, it is so rare that I haven't seen many cases of it in the wild. There are, however, several "due diligence" things that can be done to cover your bases if you are worried about being podjacked.

First lets discuss the problem. How could a podjack happen and what are the consequences? Let?s look at an example.

Average Joe creates a podcast and puts it up on his website. Malicious Fred, unable to create his own podcast yet still wanting a piece of the action, decides to podjack Average Joe?s podcast. Because Average Joe publishes an RSS feed pointing to the MP3 files of the legitimate podcast, Malicious Fred can just copy that and post it on his own site. Now some time passes while Malicious Fred is busy posting links to his version of Average Joe?s RSS feed. Let?s say Malicious Fred posted his version of the RSS feed to iTunes before Average Joe did. When Average Joe posts his legitimate RSS podcast feed to iTunes, a duplicate entry is noticed and Average Joe?s legitimate RSS podcast feed is rejected.

This may not seem so bad, but in time, Malicious Joe capitalizes on the Yahoo Podcast directory and Podcast Alley. People are already leaving comments on those sites further adding to Malicious Fred?s illegitimate claim of ownership of Average Joe?s RSS podcast feed.

Now Malicious Fred controls most of the traffic of Average Joe?s podcast and can effectively exercise editorial control over Joe?s content. In an extreme case, Malicious Fred could withhold Average Joe?s content for a ransom but that would probably only happen when Average Joe is being paid for publishing his podcast. Of course Malicious Fred may be selling ads on the site touting Average Joe?s podjacked RSS feed so that could be counted as lost revenue.

You get the idea. True ownership of the content is called into question and getting it sorted out becomes harder and harder. It?s sort of like recovering from identity theft, as times goes on it becomes harder and harder to dig yourself out of the hole, even pushing some to the point of restarting their life with a new identity.

Now, podjacking is just the same idea as any RSS feed hijacking, so what goes for this goes for any other RSS feed. However, there are a few telltale signs of a podjack that you can look for, and some things you can do to make your podcast harder to podjack.

For starters, you can check to see where people are coming from that are downloading the MP3 files used in your podcast. If the referrer in your website logs is from an external entity (Malicious Fred?s RSS feed) you are probably being targeted. However, of course, if Malicious Fred decided to steal your MP3 files as well as your RSS feed, you wouldn?t see hits for the MP3 files either, so checking your website logs for abnormal referrers isn?t a 100% guarantee.

Probably the most important thing you can do is keep your eyes open looking around the net for postings of your own podcast. If Malicious Fred wants to take your traffic, he has to do it in somewhat of a public way. Do regular searches for your podcast and don?t forget to try misspellings as well. If Malicious Fred can?t reach an audience, he won?t be able to be effective at controlling your podcast.

Probably one of the biggest things that makes a podcast harder to usurp than a regular RSS feed, say the content from a blog, is the fact that a blog RSS feed can be automatically scrubbed by a computer where that is much harder with a podcast. Take, for example, Anders.com. The content from my RSS feed is copied in various places on the net. (I won?t point to them because I don?t want to validate them in the search engines by gifting them a link) There is little else I can do to stop this but I have decided that it?s probably not something I have to waste my time worrying about. I?ll think of it as flattering instead. A spam blog stealing my content just has to erase any mention of Anders.com by a search and replace and original authorship is effectively erased. Not so with a podcast because it?s almost impossible to search and replace in an audio file. So the key here is to mention your valid URL in every podcast you do. It would also make sense to make sure there is some music under the mention of your URL so a very determined Malicious Fred can?t just cut out your URL without there being an obvious clip in the music. Doing a show on podjacking is also probably a very good idea.

With the rate at which podcasts are exploding these days, some abuse is to be expected. However, covering some basic groundwork should eliminate the majority of threat and cause Malicious Fred to move on to greener pastures.

Comments (5)

Inga from CA

Anything new or popular bring that kind of behaviour out in certain people. But if a podcaster guy or girl is smart they should be able to protect their podcasts-right? And if someone steals them and asks for a ransom then it is a crime and a law enforcment should get involved. But I havent really heard about podcasts being hijacked yet-maybe it is just a fear.

Anders from RTP

Looks like there are a few people being burned by this now.

http://cyberlaw.stanford.edu/blogs/vogele/archives/003636.shtml

Looks like a "company" calling itself podkeyword.com is actively podjacking. There is some public outcry at:

http://blog.forret.com/blog/2005/12/lets-get-rid-of-podkeywordcom.html

inga from

Interesting. For someone not so technically savy as I am, it does seem that podjacking is preventable, right?

Anders from RTP

It's preventable but you can't eliminate 100% of the threat. Most Internet technologies depend on a trust relationship. For example, because Google is a trusted source, your search rank matters and should be checked regularly. There is no 100% saftey in this game.

George Lambert from

Please have a look at the rest of the story

Markus claims that it is hijacking even though he signed up for the service, sounds like a misunderstanding to me... and I am the one being accused. Please stop by for at least "the other side" thanks.


http://www.podkey.com/

Leave a Comment

Name:
Location: (city / state / country)
Email: (not published / no spam)
Comment:

No HTML is allowed. Cookies must be enabled to post. Your comment will appear on this page after a moderator OKs it. Offensive content will not be published.

Click the umbrella to submit your comment.

To create links in comments:
[link:https://andersbrownworth.com/] becomes https://andersbrownworth.com/
[link:https://andersbrownworth.com/|AndersBrownworth.com] becomes AndersBrownworth.com
Notice there is no rel="nofollow" in these hrefs. Links in comments will carry page rank from this site so only link to things worthy of people's attention.