In iOS 18, Apple spun off its Keychain password management tool—previously only tucked away in Settings—into a standalone app called Passwords. It was the company’s first move at making credential management more convenient for users. It’s now been revealed that a serious HTTP bug left Passwords users vulnerable to phishing attacks for nearly three months, from the initial release of iOS 18 until the patch in iOS 18.2.
Security researchers at Mysk first discovered the flaw after noticing that their iPhone’s App Privacy Report showed Passwords had contacted a staggering 130 different websites over insecure HTTP traffic. This prompted the duo to investigate further, finding that not only was the app fetching account logos and icons over HTTP—it also defaulted to opening password reset pages using the unencrypted protocol. “This left the user vulnerable: an attacker with privileged network access could intercept the HTTP request and redirect the user to a phishing website,” Mysk told 9to5Mac.
Mysk demonstrates how a phishing attack could be carried out:
“We were surprised that Apple didn’t enforce HTTPS by default for such a sensitive app,” Mysk states. “Additionally, Apple should provide an option for security-conscious users to disable downloading icons completely. I don’t feel comfortable with my password manager constantly pinging each website I maintain a password for, even though the calls Passwords sends don’t contain any ID.”
Most modern websites nowadays allow unencrypted HTTP connections but automatically redirect them to HTTPS using a 301 redirect. It’s important to note that while the Passwords app before iOS 18.2 would make a request over HTTP, it would redirected to the secure HTTPS version. Under normal circumstances, this would be totally fine, as the password changes occur on an encrypted page, ensuring that credentials are not sent in plaintext.
However, it becomes a problem when the attacker is connected to the same network as the user (i.e. Starbucks, airport, or hotel Wi-Fi) and intercepts the initial HTTP request before it redirects. From here they could manipulate the traffic in a few ways. As seen in Mysk’s demo above, this includes modifying the request to redirect a phishing site that resembles Microsoft’s live.com page. The attacker can then easily gather credentials from the victims and even launch other attacks.
While this was quietly patched in December of last year, Apple only just disclosed it in the last 24 hours. The Passwords app now uses HTTPS by default for all connections, so ensure you’re running at least 18.2 on your devices! I wouldn’t be surprised if this news travels far under the radar. Share for awareness!
Follow Arin: Twitter/X, LinkedIn, Threads
FTC: We use income earning auto affiliate links. More.
