Apple Passwords bug left users vulnerable for three months

Macworld

It emerged Tuesday that a serious HTTP bug in Apple’s Passwords app left users vulnerable to phishing attacks for an astonishing three months after its debut last year.

A fix for the vulnerability was included in the iOS 18.2 software update, which rolled out on December 11 last year. But sources indicate that the bug had been there, unpatched, since the launch of iOS 18.0 (and the Passwords app itself) on September 16.

The “occasional security researchers” at Mysk spotted the problem when they noticed that Passwords was fetching logos and icons via unencrypted HTTP traffic and also defaulted to HTTP when opening password reset pages.

“This left the user vulnerable,” the company told 9to5Mac, which explains the issue in more detail that I will attempt here. “An attacker with privileged network access could intercept the HTTP request and redirect the user to a phishing website. We were surprised that Apple didn’t enforce HTTPS by default for such a sensitive app… [and] Apple should provide an option for security-conscious users to disable downloading icons completely.”

Mysk’s words were heeded and Apple patched the bug by making Passwords use HTTPS by default. This change was made quietly in iOS 18.2 in December but was only announced on March 17: “This issue was addressed by using HTTPS when sending information over the network,” Apple now explains in its iOS 18.2 security content page, crediting Talal Haj Bakry and Tommy Mysk of Mysk Inc. for the discovery.

Low-profile security patches are one of the reasons why we recommend timely software updates to your Apple devices. To update iOS on your iPhone, open the Settings app, go to General > Software Update, and follow the onscreen instructions.