Apple’s recently launched Passwords app was vulnerable to phishing attacks for nearly three months before the company quietly patched the issue in a software update. Security researchers at Mysk discovered that the app, introduced with iOS 18, was making unencrypted HTTP requests to retrieve website icons linked to stored credentials. This flaw created a potential attack vector, allowing hackers on the same Wi-Fi network to intercept and manipulate these requests, directing users to malicious sites.

The vulnerability could have enabled attackers to replace legitimate website icons with fake ones, tricking users into entering their credentials on phishing sites. While Apple has now fixed the issue in iOS 18.2 by enforcing HTTPS for all connections, the discovery raises concerns about the initial oversight in a security-focused application.

Passwords, Apple’s answer to dedicated password managers like 1Password and Bitwarden, was introduced as part of its broader push for integrated security solutions. The app syncs credentials across devices via iCloud Keychain and offers autofill features for easy logins. However, this security lapse could dent confidence in Apple’s commitment to airtight privacy.

Security experts recommend that users ensure their devices are updated to iOS 18.2 or later to mitigate any potential risks. Additionally, they advise using two-factor authentication (2FA) wherever possible to add an extra layer of protection.

With Apple increasingly positioning itself as a privacy-first company, this incident highlights the challenges of maintaining security across its expanding ecosystem of services. The fix underscores the importance of ongoing security audits, particularly for applications handling sensitive user data.

Source 9to5Mac