Popular podcast app Castbox altered RSS feeds and is still removing links

Castbox, the podcast startup that has so far raised $29m since launching in 2016, has been republishing unauthorised and altered versions of podcast RSS feeds, and are still deliberately removing links to podcasters’ websites.

We examined our own Podnews show page on the platform. All links to our website have been removed. Through a link rel=alternate header at the top of the page, this page linked to an altered and republished RSS feed on Castbox’s website (screenshot).

The Castbox version (screenshot) of our RSS feed was heavily modified: only ten episodes are visible, all links in the show notes were removed, as was our copyright notice. All links to Podnews in the RSS feed were replaced with links to Castbox.

The audio links were unaffected.

What’s an RSS feed? An RSS feed is the small computer file that your podcast app looks at to see if your favourite podcaster has published a new episode - and if so, where it is. It also contains show notes, links to a podcaster’s website, and even the podcast’s name. Since it fundamentally controls where the audio is to be found, and contains details of where it comes from, it’s important that it’s controlled by the podcaster. If someone else takes control of it, they can inject advertising in there, remove links, or otherwise affect the integrity of a podcast. Here’s an example of a company publishing fake podcast feeds.

Potential issues with other podcast apps

The RSS feed and the show page linked to each other in accordance with Google Podcasts guidelines; so these feeds could have appeared in the Google Podcasts app and may have looked as if they were the official links for the podcast.

Last week, while testing links in Google search, we saw one podcast’s “play buttons” appearing underneath the Castbox show page. Our understanding is that playing and subscribing to this podcast in Google Podcasts would have subscribed to the Castbox copy of the RSS feed, not the original.

In common with many podcast apps, Castbox uses the Apple Podcasts database to automatically populate its podcast directory. Just like links in a search engine, podcasters typically do not agree terms of use with individual podcast app directories to get listed.

Many apps assign a public web page for podcasts, like this example from Pocket Casts, to allow listeners to share a podcast with their friends. Normally, these pages link to the publisher’s RSS feed and other assets.

Altered podcast RSS feeds were being produced and republished for every podcast carried on Castbox, from This American Life to the BBC’s Global News Podcast. According to our logs, when retrieving RSS, Castbox does not appear to use a specific user-agent, so podcasters cannot block access.

How does Google Podcasts work? It searches the internet for podcasts to automatically list. All of these would have looked like legitimate podcasts, potentially duplicating details in Google’s website and confusing listeners. Here’s our FAQ.

Castbox removed these altered RSS feeds

After we saw an initial post about this in the Podcast Movement Facebook Group and verified the story, we asked Castbox for comment. Five hours later, the altered RSS feeds were removed, and are now longer linked from show pages.

A spokesperson for the company told us:

For our own internal SEO purpose we provided Google descriptions of podcasts using Google’s requested RSS feed as the medium which is for SEO and NOT for users to subscribe to our RSS feed. We failed to anticipate that it would be picked up as duplicated RSS feed from internal bugs and deeply apologize for this mishap. We did not mirror XML feeds to replicate, publish and redirect back to Castbox; however, it is our fault that the HTML source code contains the internal link not intended to be shared externally. Podcasters own their own MP3 on their hosted provider with stats of listen and sub counts which we do not manipulate or redirect to our platform. In any event, RSS subscriptions are not real traffic, only the traffic downloading/playing the mp3 file which is available on their hosted platform.Thank you for catching the bugs, our development team have immediately disabled the APIs to the duplicate links. Again we apologize for infringing on any privacy issues, confusion, concerns and any negative user experience.

A different spokesperson commented within Facebook:

The feeds were for internal use only. They were never meant to be made public. We used our formatted RSS (following Google’s structure data guidelines) to allow Google to show more accurate search results. We did not intend to allow Google to let users subscribe to our RSS, just to play directly from the search result. Those plays/downloads are credited towards the original podcast feed. We have removed all Castbox rss links from page source code, and all rss links are now offline.

It is not immediately apparent how these can be described as internal URLs. They were correctly linked from show pages in accordance with Google guidelines, and designed explicitly for Google to spider, to aid Castbox’s external SEO. Neither the Castbox app nor the show pages appeared to use their output: these list more than ten episodes, and show notes are not truncated.

We asked why the show pages have removed all website links to podcast publishers. Their answer:

Our platform supported hyperlinks until recently. We removed them for safety measures. We still display the URLs but they are not clickable. It’s in our roadmap to reimplement these hyperlinks. Images [in show notes] remain because they are not hyperlinks.

Castbox should be commended for quick action to remove these altered RSS feeds; but their responses could be seen to show some misunderstanding about their relationship with podcasters.

Every podcaster wants their shows everywhere: but only if the audio and RSS feed remain intact and unaltered, including links.