Last year, Apple introduced a standalone Passwords app as part of its iOS 18 software update, allowing users to manage their passwords and related information outside of the Settings app. However, a significant security vulnerability was discovered within the app, exposing users to potential phishing attacks from individuals connected to the same Wi-Fi network. Apple has since revealed it rectified this issue three months following the launch of iOS 18.
Vulnerability in Passwords App Addressed with iOS 18.2 Update
The tech giant recently updated its release notes (via 9to5Mac) for the iOS 18.2 update, initially released in December. The notes now contain two entries related to ‘Passwords’, highlighting the fixes implemented for the app. Apple acknowledged the contribution of security researchers Talal Haj Bakry and Tommy Mysk from Mysk for uncovering the vulnerability.
The updated support document specifies that the first patch included in the iOS 18.2 update remediated two issues that permitted a user on a privileged network to both leak sensitive information and manipulate network traffic.
Mysk’s investigation revealed that the Passwords app was not using encrypted connections (HTTPS) when fetching details from certain websites, including site icons. Additionally, password reset pages were accessed over unencrypted HTTP.
This vulnerability allowed an attacker within the same Wi-Fi environment to intercept the network requests, redirecting the device to a phishing site rather than the intended legitimate page. If users unknowingly trusted the fraudulent website, they might enter their login credentials there.
The cybersecurity firm reported this flaw to Apple in September, and the company’s updated support document indicates that fixes were implemented with the release of iOS 18.2 in December. iPhone and iPad models operating on iOS 18.2 or newer should now be secured against this vulnerability.
