Apple Patches Critical Vulnerability: Passwords App Exposed to Phishing Attacks

Vulnerability in Apple Passwords App

In September 2024, Apple launched the new Passwords app with iOS 18. However, this app initially used the less secure HTTP protocol instead of HTTPS when opening links or fetching icons. This allowed bad actors on a privileged network to intercept and redirect requests to fake websites, potentially harvesting login credentials.

Timeline:

• September 2024: Apple Passwords app debuted with iOS 18.
• September 2024: Security firm Mysk discovered the vulnerability and reported it to Apple.
• December 2024: The vulnerability was patched in iOS 18.2.
• March 17, 2025: Apple disclosed the vulnerability and patch.

Attack Vector:

To exploit this vulnerability, a user would need to:

• Be on a Wi-Fi network with bad actors (e.g., coffee shop, airport).
• Open the Passwords app and tap a link to redirect to a login page.
• The bad actor must intercept and replace the request with a fake login page.

Mitigation:

• Update Devices: Ensure all devices are running iOS 18.2 or later.
• Password Changes: Consider changing passwords for sensitive accounts if you used the Passwords app to open links on unsecured networks.
• General Use: The vulnerability did not affect password autofill in apps or websites.

Conclusion:

The likelihood of this vulnerability being exploited in the wild is low due to its specific attack vector. However, updating your device and changing passwords as a precautionary measure is recommended.