Apple’s Passwords App Had a Significant Security Flaw (But It’s Been Fixed)
Credit: Jesse Hollington / iDrop News
Toggle Dark Mode
Apple brought password management front and center last year when it introduced a new Passwords app in iOS 18, but now it turns out that there may have been a potentially serious security fly in the ointment.
While iPhone, iPad, and Mac users have been able to manage passwords through iCloud Keychain for years, and Apple has even embraced new features like Passkeys and password sharing, this was all pretty hidden away, initially buried in the Safari settings, and then later brought out to its own distinct section in the Settings app in iOS 14.
With iOS 18, Apple brought it to the forefront with a standalone app. The new Passwords app is mostly just a new coat of paint on the old Passwords section in the Settings app, but it significantly improved usability and even brought things like your stored Wi-Fi passwords into the fold (these were previously accessible only through the Wi-Fi settings).
Sadly, it turns out that Apple’s engineers may not have thought everything through when they moved over to the new standalone app. The folks at Mysk — a duo of two developers and security researchers who have uncovered similar flaws in other apps like Google Authenticator and Mail on the Apple Watch — discovered the app using unencrypted traffic to communicate with websites that could potentially expose users to a phishing attack.
The problem stems from the fact that the Passwords app doesn’t use HTTPS encryption by default. It opens links and downloads icons over plain old unencrypted HTTP connections. While that’s not a big problem for things like account icons — at most, it could expose the sites you have accounts on to anyone sniffing your network traffic — the app also opens links to change or reset passwords using HTTP by default.
Mysk posted a video demonstrating how this could be used to redirect a victim to a malicious website that could then be used to intercept their credentials.
To be clear, this flaw would only leave you vulnerable if you were on an insecure network. However, this isn’t just about insecure Wi-Fi; even a school or business network could be compromised, as unencrypted HTTP traffic can be intercepted anywhere along the way. From home, this would require a hacker in your house or at your ISP, which is considerably less likely, but traffic on many school and office networks can be monitored by other students or employees.
Nevertheless, this was still likely only a serious issue if you were using the links in the Passwords app to visit websites to change passwords or set up two-factor authentication codes and someone had specifically configured a phishing attack to take advantage of that. The vulnerability wouldn’t expose actual passwords since virtually every reputable website would redirect unencrypted HTTP requests to HTTPS before letting you enter or change your password. Still, even casual traffic monitoring would be able to reveal the websites you had saved passwords for — including some that you might not want to be disclosed.
The researchers add that they reported the bug in September, and while Apple addressed it in iOS 18.2, it didn’t initially include that fix in its iOS 18.2 and iPadOS 18.2 security release notes until this week, crediting “Talal Haj Bakry and Tommy Mysk of Mysk Inc.”
Impact: A user in a privileged network position may be able to leak sensitive information
Description: This issue was addressed by using HTTPS when sending information over the network.
Several vulnerabilities in iOS 18.2 weren’t disclosed until this week, as Apple has also added another new entry under MobileBackup related to “restoring a maliciously crafted backup file” and updated an issue on Passkeys. The notes also add new acknowledgments related to Bluetooth, Face Gallery, and MobileLockdown.
Apple doesn’t explain why these updates came later, but we can safely assume it wanted to ensure that enough people had updated to iOS 18.2 before revealing these vulnerabilities. After all, once they’re published, every hacker and other bad actor will be looking for ways to exploit folks who haven’t updated to the latest iOS release (which is the number one reason why you always should).
In other words, if you’re still running iOS 18.1, this is yet another reason to update your iPhone now. Head into Settings > General > Software Updates and install any updates you find there.
If you’re on at least iOS 18.2, you should be fine, but remember that subsequent updates like iOS 18.3 and even iOS 18.3.2 have fixed other security flaws, and based on what we’ve just seen from Mysk, there may even be flaws in iOS 18.2 that Apple hasn’t yet disclosed in its latest security release notes.
