Apple has addressed a vulnerability in the Passwords app with the release of iOS 18.2, which had been present for three months since iOS 18 was launched. According to 9to5Mac, the issue was fixed back in December, though Apple has only recently disclosed the information.
Previously, the Keychain password management tool was located in the Settings app, but starting with iOS 18, it was split off into a dedicated Passwords app. Security researchers at Mysk were the first to spot the vulnerability. Their investigation revealed that the Passwords app was communicating with 130 different websites using an unsecured HTTP protocol, based on data from an iPhone app privacy report. Further analysis showed that the app fetched account logos and icons over HTTP and opened password reset pages by default through an unencrypted protocol.
“This left the user vulnerable: an attacker with privileged network access could intercept the HTTP request and redirect the user to a phishing site,” Mysk explained to 9to5Mac.
The researchers recommended that Apple should have implemented HTTPS by default in such a sensitive app and suggested that users should also be given the option to disable icon loading entirely for added protection.
Risks and the iOS 18.2 Security Improvement
Most modern websites accept unencrypted HTTP connections but automatically redirect them to HTTPS using a 301 Permanent Redirect. Before iOS 18.2, the Passwords app made initial requests over HTTP but redirected to HTTPS, reminds NIXsolutions. Under typical conditions, this wasn’t a significant threat, as password changes happened on the secure HTTPS page, ensuring credentials were not exposed.
However, the issue arose when users connected to public networks, such as in coffee shops, airports, or hotels. In these situations, attackers on the same network could intercept the initial HTTP request and manipulate it before it was redirected to HTTPS. This could allow them to redirect users to phishing sites, increasing the risk of stolen login credentials.
With iOS 18.2, Apple now ensures that the Passwords app uses HTTPS by default for all communications. Users are strongly advised to update their iPhone’s operating system to benefit from the improved security. Yet we’ll keep you updated as more enhancements and integrations become available.