Thought Leadership
The Apple Passwords app introduced as part of iOS 18 had a critical security vulnerability that left users vulnerable to phishing attacks over a period of almost three months. The problem was only fixed with the update to iOS 18.2.
Security researchers from the Mysk team noticed that their iPhone’s app privacy report listed an unusually high number of connections from the Passwords app to various websites – a total of 130 websites were contacted via unencrypted HTTP connections. Upon closer examination, the researchers discovered that the app not only loaded account logos and icons via HTTP, but also opened password reset pages via the unencrypted protocol by default.
“An attacker with privileged network access could intercept the HTTP request and redirect the user to a phishing website,” the Mysk researchers told 9to5Mac.
Danger in public networks
The security vulnerability was particularly problematic in public Wi-Fi networks such as in cafés, airports or hotels. There, an attacker on the same network could have intercepted the original HTTP request before the usual redirection to HTTPS took place. By manipulating the data traffic, it would have been possible to redirect users to deceptively genuine-looking phishing pages, as Mysk showed in a demonstration with a fake Microsoft login page.
Although Apple already fixed the problem in December 2023 with iOS 18.2, the vulnerability has only now been publicly documented. The Passwords app now uses HTTPS for all connections by default.
“We were surprised that Apple did not enforce HTTPS by default for such a sensitive app,” explained the security researchers. “In addition, Apple should offer an option for security-conscious users to disable icon downloads completely.”
Conclusion
Apple users should ensure that their devices are updated to at least iOS version 18.2 to be protected against this vulnerability. The incident underlines the importance of encrypted connections for security-critical applications – especially for password managers, which by their very nature manage highly sensitive data.
