Apple's New Passwords App Exposed Users to Phishing Attacks for Three Months After Launch

Summary of Apple’s Passwords App Vulnerability

In iOS 18, Apple introduced the standalone Passwords app to make credential management more user-friendly. However, a significant security flaw left users vulnerable to phishing attacks for nearly three months from the initial release until it was patched in iOS 18.2.

Key Points:

• Vulnerability Discovery: Security researchers at Mysk found that the Passwords app contacted over 130 websites via unsecured HTTP, fetching account logos and icons and opening password reset pages using the same protocol.
• Security Risk: This allowed attackers with network access to intercept HTTP requests and redirect users to phishing sites, potentially stealing their credentials.
• Mitigation: Modern websites often use 301 redirects to HTTPS, which would normally secure the connection. However, an attacker on the same network could manipulate the initial HTTP request before it redirected, leading to a successful phishing attack.
• Resolution: Apple quietly patched the vulnerability in December of the previous year and disclosed it recently. The Passwords app now enforces HTTPS by default for all connections.
• User Action: Ensure your devices are running at least iOS 18.2 to benefit from the security fix.