Apple fixed a bug in its Passwords app with December’s iOS 18.2 update that had left users vulnerable to phishing attacks in the three months since the launch of iOS 18.

According to an Apple security update spotted by 9to5Mac, the Passwords app was sending unencrypted requests for the logos and icons associated with users’ stored passwords.

Without protections of encryption, an attacker on the same Wi-Fi network could redirect a user’s browser to a clone phishing site where login details could be stolen. The vulnerability was first discovered by developer Mysk’s security researchers and reported in September.

Apple’s iOS 18.2 security release notes described the bug like so:

Impact: A user in a privileged network position may be able to leak sensitive information

Description: This issue was addressed by using HTTPS when sending information over the network.

Apple lists the bug in security content updates for the Mac, iPad, and Vision Pro, indicating that this issue was fixed across multiple OSes.
This article, “Apple Passwords App Bug Left Users Vulnerable to Phishing Attacks for Months Before Being Fixed” first appeared on MacRumors.com

Discuss this article in our forums