Apple’s Passwords App Exposed Users to Phishing Attacks

Apple’s Passwords app, introduced as a standalone application with the release of iOS 18, was found to have a significant security vulnerability that left users susceptible to phishing attacks for nearly three months (via 9to5Mac).

This flaw, present from the app’s launch until it was patched, involved the app making unencrypted HTTP requests when fetching website logos and icons associated with stored passwords.

Security researchers at Mysk identified the issue after observing that the Passwords app was contacting numerous websites over insecure HTTP connections. This behavior raised concerns about potential interception by malicious actors, especially on shared networks such as public Wi-Fi.

The core of the problem lay in the app’s default use of HTTP for retrieving visual elements like logos and icons for stored passwords. While many modern websites automatically redirect HTTP requests to secure HTTPS connections, the initial unencrypted request posed a security risk. Attackers with access to the same network could intercept these requests and manipulate them to direct users to malicious sites that mimic legitimate login pages.

Upon being notified of the vulnerability in September, Apple addressed the issue by implementing HTTPS for all network communications within the Passwords app. This fix was included in the iOS 18.2 update released in December. Similar updates were applied to macOS, iPadOS, and the Vision Pro operating system.

To mitigate potential risks, users are strongly advised to update their devices to the latest operating system versions. Apple recommends regularly installing updates to ensure that security patches are applied promptly.

This incident also reminds developers of the necessity to enforce HTTPS connections by default to protect users from potential security breaches.