Security experts revealed Apple’s Passwords app failed to enforce HTTPS for 90 days, letting attackers on shared Wi-Fi redirect users to malicious clones of Microsoft and other sites.
New information has emerged about a critical HTTP flaw that exposed Passwords users to phishing attempts for almost three months, beginning with the release of iOS 18 and ending with the patch in iOS 18.2.
After discovering that Passwords had contacted an astounding 130 different websites over insecure HTTP traffic in their iPhone’s App Privacy Report, security researchers at Mysk initially uncovered the vulnerability. Because of this, the two dug deeper into the matter and discovered that the app was utilizing HTTP to get account logos and icons and that it also opened password reset pages using the unencrypted protocol by default.
“This left the user vulnerable: an attacker with privileged network access could intercept the HTTP request and redirect the user to a phishing website,” Mysk revealed to 9to5Mac.
“We were surprised that Apple didn’t enforce HTTPS by default for such a sensitive app,” Mysk explains.
“Additionally, Apple should provide an option for security-conscious users to disable downloading icons completely. I don’t feel comfortable with my password manager constantly pinging each website I maintain a password for, even though the calls Passwords sends don’t contain any ID.”
Here is an example of a phishing attack that Mysk shows:
Even while most modern websites automatically switch unencrypted HTTP connections to HTTPS with a 301 redirect, some still accept unencrypted HTTP connections. It should be noted that prior to iOS 18.2, the Passwords app will redirect to the secure HTTPS version when making an HTTP request.
Under typical conditions, this would be perfectly acceptable since changing passwords on an encrypted website prevents credentials from being transferred in plaintext.
But things get dicey when an attacker can hop on the user’s network (like at an airport, Starbucks, or hotel) and steal their HTTP request data before it redirects. Several methods for manipulating the flow could be employed from this point.
The Mysk example shows that this involves changing the request to send the user to a phishing site that looks like live.com, the official website of Microsoft. Once the victims’ credentials have been obtained, the attacker can proceed to launch other assaults.
The patch was actually applied in December of last year, but Apple has only now revealed it in the past 24 hours. Make sure you’re using at least 18.2 on your devices, as the Passwords app now uses HTTPS by default for all connections.
Luis Gochoco is a seasoned managing editor and writer with over a decade of experience covering politics, technology, gaming, and entertainment news. With a keen eye for breaking stories and in-depth analysis, he has established himself as a trusted voice in digital journalism. Luis is one of the key forces behind the success of GameNGuide, contributing to 12 million views through engaging and high-traffic content. He also played a pivotal role in generating 8 million views on International Business Times, shaping the platform’s technology and gaming coverage.
Discover more from Today's Esquire
Subscribe to get the latest posts sent to your email.