Apple has patched a vulnerability in the Passwords app in iOS 18.2 that has been around for three months since iOS 18 was released, leaving users vulnerable to phishing attacks, 9to5Mac reported. The fix was made back in December, but Apple is only now revealing it.
Image source: 9to5Mac
Apple has spun out the Keychain password management tool, which was previously located in Settings, into a separate app called Passwords in iOS 18. Security researchers at Mysk were the first to identify the vulnerability, noting that the iPhone App Privacy Report found that Passwords was communicating with 130 different websites over the unsecured HTTP protocol. Upon further investigation, they found that the app was not only fetching account logos and icons over HTTP, but also opening password reset pages by default using the unencrypted protocol. “This left the user vulnerable to attack by allowing an attacker with privileged network access to intercept the HTTP request and redirect the user to a phishing site,” Mysk told 9to5Mac.
The researchers suggested that Apple should have enabled HTTPS support by default for such a “sensitive app,” and also provided security-conscious users with the option to disable icon loading entirely.
Most modern websites now allow unencrypted HTTP connections, but automatically redirect them to HTTPS using a 301 Permanent Redirect. It’s worth noting that while the Passwords app made a request over HTTP prior to iOS 18.2, it was then redirected to the secure HTTPS version. This isn’t a threat under normal circumstances, since the password change occurs on an encrypted page, ensuring that credentials aren’t sent in the clear. However, it does pose a problem when an attacker is connected to the same network as the user (such as a Starbucks, airport, or hotel Wi-Fi) and intercepts the original HTTP request before it’s redirected. In this case, the hacker can manipulate the traffic in a number of ways, including modifying the request to redirect to a phishing site.
With the release of iOS 18.2, the Passwords app uses HTTPS by default for all connections, so users are advised to update the OS on their iPhone.