Apple Acknowledges Passwords App Vulnerability That Left Users Exposed for Months

Apple recently disclosed a security flaw in its Passwords app through its security content update that left users vulnerable to phishing attacks for three months before being addressed in the iOS 18.2 update. The issue, first spotted by security researchers at app developer Mysk, raised concerns about user data security, particularly for those accessing the internet on public networks.

According to Apple’s security content update, the flaw stemmed from the Passwords app sending unencrypted requests for website logos and icons associated with stored credentials. This lack of encryption allowed attackers on the same Wi-Fi network, such as those in coffee shops or airports, to intercept and redirect users to fraudulent phishing sites designed to steal login credentials.

In its updated security notes, Apple acknowledged the flaw, stating:

“A user in a privileged network position may be able to leak sensitive information.”

To address the issue, Apple confirmed that it had switched to HTTPS for all network requests:

“This issue was addressed using HTTPS when sending information over the network.”

The fix was implemented across Apple’s ecosystem, including macOS, iPadOS, and Vision Pro.

Mysk reported the vulnerability to Apple in September, but it remained unpatched for months. The security flaw affected not just iPhones but also Macs, iPads, and the Vision Pro, as confirmed in Apple’s security content updates for those platforms.

With the fix in place, users are urged to update their devices to the latest software versions to ensure their data remains secure.