With the release of iOS 18, Apple transitioned its Keychain password management tool—previously hidden in the Settings—into an independent application known as Passwords. This move represented Apple’s first step towards enhancing user convenience in credential management. However, it has recently come to light that a critical HTTP vulnerability exposed Passwords users to phishing threats for almost three months, from the launch of iOS 18 until it was patched in iOS 18.2.
The security team at Mysk uncovered this weakness after observing that their iPhone’s App Privacy Report indicated Passwords had connected to a staggering 130 different websites via insecure HTTP. Their investigation revealed that not only was the app fetching account logos and icons over HTTP, but it also defaulted to using this unprotected protocol when accessing password reset pages. “This left users at risk: an attacker with access to the network could intercept the HTTP request and redirect the user to a phishing page,” Mysk informed DMN.
Here’s a demonstration from Mysk illustrating how a phishing attack could be executed:
Mysk expressed surprise that Apple did not enforce HTTPS by default for such a critical application. “Furthermore, Apple ought to provide an option for security-minded users to completely disable icon downloads. I feel uneasy knowing my password manager is regularly communicating with every site for which I have stored credentials, even if the requests made by Passwords do not include any identifying information.”
Today, many modern websites permit unencrypted HTTP connections but automatically redirect them to HTTPS through a 301 redirect. It’s worth mentioning that while the Passwords app before iOS 18.2 initiated requests over HTTP, they were redirected to their secure HTTPS counterparts. Under typical circumstances, this would be acceptable since password changes occur on an encrypted page, protecting credentials from being transmitted in plaintext.
However, issues arise when an attacker shares the same network with the user (for instance, at Starbucks, an airport, or hotel Wi-Fi) and intercepts the initial HTTP request prior to the redirect. An attacker could then manipulate the traffic in various ways. As demonstrated in Mysk’s video, one method includes altering the request to redirect to a phishing webpage mimicking Microsoft’s live.com. This could enable the attacker to collect credentials from victims and potentially execute further attacks.
This vulnerability was quietly resolved in December of the previous year, but Apple only disclosed it in the past 24 hours. The Passwords app now operates using HTTPS by default for all connections, so make sure your devices are updated to at least version 18.2! It wouldn’t be surprising if this information flies under the radar. Please share to raise awareness!
Follow Arin: Twitter/X, LinkedIn, Threads
