In December, Apple addressed a security vulnerability in its Passwords app, which debuted with iOS 18. This flaw, present for three months, arose from an error in network connection management that left users exposed to phishing attacks. Attackers on the same Wi-Fi network could redirect users to a fraudulent site and steal their login credentials.
Amazon co-founder MacKenzie Scott has donated over $19 billion to charity in just five years
Diamond batteries powered by nuclear waste promise 28,000 years of clean energy
An Unsafe HTTP Request
With the rollout of iOS 18, Apple upgraded its Keychain password manager into a standalone app named Passwords. However, a significant security issue was quickly identified. The app was sending unencrypted HTTP requests to fetch icons for saved websites. This outdated and risky connection method allowed attackers on the same Wi-Fi network to intercept the traffic.
Security researchers at Mysk detected this anomaly in September 2024 while reviewing the iOS App Privacy Report. They noticed that Passwords was making HTTP requests to over 130 sites, raising a red flag. Further investigation revealed that the app could also open some password reset pages through the unsecured protocol. Consequently, an attacker could hijack these requests to display a counterfeit site, trapping the user.
Limited but Real Risk
Typically, modern websites automatically redirect HTTP traffic to the more secure HTTPS. However, this security measure fails if an attacker intercepts the connection before the redirection. Public Wi-Fi networks, such as those in cafes or airports, pose the highest risk, as a cybercriminal can easily join these networks and monitor traffic. Fortunately, the vulnerability wasn’t consistently exploitable. To fall victim, one had to connect to a compromised network, launch the Passwords app, click a link to visit a site, and encounter an attacker who could intercept and alter the request in real-time. Clearly, this was not a straightforward process.
It’s important to note that the autocomplete feature for passwords on browsers and other apps was not affected.
Quiet Correction and Update
Apple fixed this issue in December 2024 with the release of iOS 18.2, which mandated that the app use only HTTPS. However, the company did not officially disclose the vulnerability until March 17, 2025. This delay in communication was likely intentional to prevent alerting potential attackers before most users had updated their devices.
If you’re still using a version prior to iOS 18.2, it’s advisable to update immediately. For increased security, it’s also wise to change any sensitive passwords and avoid clicking on login links on public Wi-Fi networks, though this is good practice year-round, regardless of specific vulnerabilities.