Apple Addresses Serious Security Flaw in Passwords App That Permitted Phishing Attacks

Apple has long championed privacy with campaigns proclaiming that privacy is fundamental to its devices. Yet recent revelations expose vulnerabilities within Apple products, raising concerns about the effectiveness of its security measures. A critical flaw in Apple’s built-in password manager, known as Passwords, enabled security risks for users for nearly three months following its launch.

Researchers uncovered that this vulnerability allowed cybersecurity threats via phishing attacks. If you connected to a public Wi-Fi network, such as at an airport or café, an attacker could redirect your browser from a legitimate site to a fraudulent lookalike page. This was possible before Apple patched this issue, leading to significant security concerns.

Discovery of the Vulnerability

The Brazilian security research team Mysk revealed the defect in Apple’s Passwords app. Launched with iOS 18 in September 2024, the app used unsecured HTTP connections instead of HTTPS for fetching graphical elements linked to stored passwords. Consequently, attackers in proximity could intercept these requests, facilitating the potential redirection to phishing sites.

The vulnerability remained unresolved from the app’s introduction until the iOS 18.2 update in December 2024, which effectively put user data at risk for an extensive period. For instance, should a user access the Passwords app and click a link, such as