Apple's Passwords App Had a Security Flaw That Exposed Users to Phishing Attacks for Three Months

Apple's revised release notes for the iOS 18.2 update reveal that it patched two issues related to its Passwords app.

Advertisement
Written by David Delima | Updated: 19 March 2025 15:30 IST
Highlights
  • Apple fixed two flaws with its Passwords app on iOS 18.2
  • iOS 18.1 rolled out to users in December 2024
  • Apple has updated its release notes to detail the security fixes

Apple introduced a standalone Passwords app on iOS 18

Photo Credit: Pexels/ Antoni Shkraba

Apple released a dedicated Passwords app last year, as part of the iOS 18 software update. Instead of a menu inside the Settings app, users can access their passwords and other details via a standalone app. However, the Passwords app had a serious security flaw that exposed users to potential phishing attacks from attackers who were on the same Wi-Fi network. The company recently disclosed that it fixed the security flaw three months after iOS 18 was released.

Apple Fixed Passwords App Vulnerability With iOS 18.2 Update

The iPhone maker recently amended its release notes (via 9to5Mac) for the iOS 18.2 update, which was released in December. The document now includes two entries, both titled 'Passwords', that describe fixes for the app. Apple has credited Mysk security researchers Talal Haj Bakry and Tommy Mysk with identifying the security vulnerability.

Advertisement

According to the company's updated support document, the first patch for the Passwords app on iOS 18.2 fixed two flaws that allowed a user in a privileged network position to leak sensitive information, and alter network traffic. 

The Mysk researchers discovered that Apple's Passwords app wasn't using encrypted connections (HTTPS) when fetching details of specific sites, such as site icons. Similarly, password reset pages were loaded over HTTP.

Advertisement

The same flaw would allow an attacker on the same Wi-Fi network to intercept the network request, and direct the device to load a phishing website instead of the legitimate one. If the user trusts the webpage, they might enter their credentials on the fraudulent website.

The cybersecurity firm reported the issue to Apple in September, and Apple's revised support document reveals that it rolled out fixes for the issue with iOS 18.2 in December. Eligible iPhone and iPad models that are running on iOS 18.2 and iPadOS 18.2 or newer versions should not be vulnerable to the flaw.

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. Best Mobiles Under Rs. 40,000 in India
  2. Best Water-Resistant Smartphones You Can Buy in India
  1. Samsung Galaxy Z Flip 8 Roundup: Launch Date, Expected Price, Specifications
  2. Redmi Note 17 Pro Global Variant Reportedly Appears on NBD Database Alongside Poco Model
  3. Google Pixel 11a Codename Reportedly Spotted in Phone App
  4. Huawei Mate XT 2 Leaked Patent Reveals New Tri-Fold Design and Folding Mechanism
  5. Airtel Unlimited 5G Data Subscribers Reportedly Cannot Share 5G Data via Mobile Hotspot: Here's What We Know So Far
  6. Lenovo Legion C700 Teased as a Cloud Gaming Handheld Ahead of August Launch
  7. Marvel's Wolverine Gets New Trailer That Will Play Ahead of Christopher Nolan's The Odyssey in Select Theatres
  8. Airtel Quietly Removes Rs. 549 Individual Postpaid Plan in India; Rs. 699 Plan Becomes Next Upgrade
  9. Poco M8 Power, Poco X8 India Launch Timeline Tipped; Could Arrive as Rebranded Redmi Note 17 Series
  10. Samsung Galaxy S25 Series Could Get Galaxy S26’s Horizontal Lock Camera Feature With One UI 9 Update
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.