In a significant update, Apple introduced a standalone app called Passwords in iOS 18, evolving its Keychain password management tool, which was previously confined to the Settings menu. This move aimed to enhance user convenience in managing credentials. However, a serious HTTP bug has since been uncovered, which left users of the Passwords app exposed to potential phishing attacks for nearly three months, from the launch of iOS 18 until the release of a patch in iOS 18.2.
The flaw was first detected by security researchers at Mysk, who noticed alarming activity in their iPhone’s App Privacy Report. The report indicated that the Passwords app had contacted an astonishing 130 different websites over insecure HTTP traffic. This discovery prompted a more in-depth investigation, revealing that the app not only retrieved account logos and icons through HTTP but also defaulted to opening password reset pages using the unencrypted protocol.
This oversight created a significant security risk. As Mysk explained to 9to5Mac, “This left the user vulnerable: an attacker with privileged network access could intercept the HTTP request and redirect the user to a phishing website.” Mysk elaborated on how a phishing attack could be executed, expressing surprise that Apple did not enforce HTTPS by default for an application handling sensitive information like passwords.
Furthermore, Mysk suggested that Apple should offer an option for security-conscious users to disable the automatic downloading of icons entirely. “I don’t feel comfortable with my password manager constantly pinging each website I maintain a password for, even though the calls Passwords sends don’t contain any ID,” they stated.
While many modern websites support unencrypted HTTP connections, they typically redirect these requests to HTTPS via 301 redirects. It is crucial to understand that although the Passwords app initially made requests over HTTP, these were usually redirected to the secure HTTPS versions. Under normal circumstances, this would not pose a significant issue, as password changes occur on encrypted pages, preventing credentials from being transmitted in plaintext.
However, the vulnerability becomes critical when an attacker is on the same network as the user—such as public Wi-Fi at a Starbucks, airport, or hotel. In such scenarios, an attacker could intercept the initial HTTP request before it is redirected to HTTPS, allowing them to manipulate the traffic. As demonstrated in Mysk's analysis, one tactic could involve redirecting users to a phishing site mimicking Microsoft’s live.com page, enabling attackers to harvest credentials and execute further malicious activities.
This troubling security flaw was quietly patched in December of the previous year, but Apple only disclosed the issue recently. Following the update to iOS 18.2, the Passwords app now utilizes HTTPS by default for all connections, significantly enhancing its security measures. Users are urged to ensure they are running at least iOS 18.2 on their devices to benefit from these critical updates.
Despite the importance of this information, it is likely that this news may go unnoticed by many users. Therefore, sharing this article can help raise awareness about the potential security risks associated with the Passwords app. For further updates and insights, follow Arin on Twitter/X, LinkedIn, and Threads.
FTC Disclosure: We utilize income-earning auto affiliate links.
