iPhone Passwords app had vulnerability for three months

Apple's Passwords app for iPhones had a security flaw for almost three months, according to a new report. This issue affected users in rare circumstances, putting them at risk for phishing attacks. The Passwords app was introduced in iOS 18. It replaced the older Keychain password management tool, making it easier to manage passwords. However, a bug in the app meant it used insecure HTTP for certain functions, which could expose users to risks. Security researchers from Mysk discovered the flaw after noticing that their iPhones reported the Passwords app contacting around 130 different websites over unsecure HTTP. They found that the app was not only fetching account logos but also opened password reset pages using this insecure method. This could allow attackers to intercept requests and redirect users to fake websites to steal credentials. Fortunately, the risk was generally low for most users. Many modern websites redirect HTTP requests to secure HTTPS connections. This means that even if the Passwords app initially sent a request over HTTP, users were usually protected since the sensitive data was still being sent over an encrypted page. However, the risk increased when attackers were on the same network as the user, such as public Wi-Fi at a café or airport. In such cases, attackers could intercept the initial request and redirect users to phishing sites, putting their credentials at risk. Apple fixed the flaw in an update released on December 11, 2024. The company disclosed the issue on March 17, 2025, after ensuring it was resolved. Apple typically does not reveal security flaws until they are fixed to prevent misuse.