Apple's Passwords App Had a Security Flaw That Exposed Users to Phishing Attacks for Three Months

Apple released a dedicated Passwords app last year, as part of the iOS 18 software update. Instead of a menu inside the Settings app, users can access their passwords and other details via a standalone app. However, the Passwords app had a serious security flaw that exposed users to potential phishing attacks from attackers who were on the same Wi-Fi network. The company recently disclosed that it fixed the security flaw three months after iOS 18 was released.

Apple Fixed Passwords App Vulnerability With iOS 18.2 Update

The iPhone maker recently amended its release notes (via 9to5Mac) for the iOS 18.2 update, which was released in December. The document now includes two entries, both titled 'Passwords', that describe fixes for the app. Apple has credited Mysk security researchers Talal Haj Bakry and Tommy Mysk with identifying the security vulnerability.

According to the company's updated support document, the first patch for the Passwords app on iOS 18.2 fixed two flaws that allowed a user in a privileged network position to leak sensitive information, and alter network traffic. 

The Mysk researchers discovered that Apple's Passwords app wasn't using encrypted connections (HTTPS) when fetching details of specific sites, such as site icons. Similarly, password reset pages were loaded over HTTP.

The same flaw would allow an attacker on the same Wi-Fi network to intercept the network request, and direct the device to load a phishing website instead of the legitimate one. If the user trusts the webpage, they might enter their credentials on the fraudulent website.

The cybersecurity firm reported the issue to Apple in September, and Apple's revised support document reveals that it rolled out fixes for the issue with iOS 18.2 in December. Eligible iPhone and iPad models that are running on iOS 18.2 and iPadOS 18.2 or newer versions should not be vulnerable to the flaw.