Apple Password App Security Flaw Exposed Users to Phishing for 3 Months

As part of the iOS 18 software upgrade last year, Apple created a Passwords app specifically for the purpose. Users may access their passwords and other information using a stand-alone app rather than a menu within the Settings app. A significant security vulnerability in the Passwords app, however, left users vulnerable to possible phishing attempts by attackers connected to the same Wi-Fi network. Three months after the introduction of iOS 18, the firm just revealed that it has resolved the security vulnerability.

The corporation stated in a statement on its security website that “a user in a privileged network position may be able to leak sensitive information.” It claimed that utilizing HTTPS while transferring data across the network resolved the problem.

According to an Apple security content update discovered, the iOS 18.2 update was issued in December, and the iPhone manufacturer recently updated its release notes (via 9to5Mac). ‘Passwords’ is the title of two new items in the document that discuss app fixes. Apple attributes the discovery of the security flaw to Mysk security experts Tommy Mysk and Talal Haj Bakry which left users open to phishing assaults.

The Passwords app was making unencrypted requests for the symbols and emblems that appear next to the websites that your saved passwords are linked to, as 9to5Mac reports. Because there was no encryption, someone using the same Wi-Fi network as you, such as at a coffee shop or airport, may divert your browser to a fake phishing website and steal your login information. Security researchers at software developer Mysk made the first discovery.

The first patch for iOS 18.2’s Passwords app addressed two vulnerabilities that let a user with privileged network access change network traffic and disclose private data, according to the company’s revised support page.

The Mysk researchers observed that Apple’s Passwords app wasn’t using encrypted connections (HTTPS) when retrieving data of specific sites, such as site icons. In a similar manner, HTTP was used to load password reset sites.

An attacker on the same Wi-Fi network may use the same vulnerability to intercept the network request and instruct the device to load a phishing webpage rather than the authentic one. The user may input their credentials on the phony website if they have faith in the website.

According to Apple’s updated support page, the cybersecurity firm informed the company about the problem in September, and in December, the company released remedies for iOS 18.2. It should not be a problem for eligible iPhone and iPad devices running iOS 18.2 and iPadOS 18.2 or later.

Apple explains the flaw and its solution as follows: Impact: Sensitive information might be leaked by a user with privileged network access. This problem was fixed by utilizing HTTPS when transmitting data over the network.

ABI Research security analyst Georgia Cooke described the problem as “not a small-fry bug.”

Cooke remarked, “It’s a hell of a slip from Apple, really,” “For the user, this is a concerning vulnerability demonstrating failure in basic security protocols, exposing them to a long-standing attack form which requires limited sophistication.” 

Since it needs a rather particular combination of conditions, such as selecting to change your login from a password manager, doing so on a public network, and not realizing whether you’re being rerouted, Cooke says most users probably won’t encounter this problem. Nevertheless, it serves as a helpful reminder of the significance of routinely updating your equipment.

People may take additional precautions to guard against these types of vulnerabilities, particularly on shared networks, she noted. This includes avoiding critical transactions like changing credentials on public Wi-Fi, reusing passwords, and directing device traffic through a virtual private network.