Apple released a dedicated Passwords app last year as part of the iOS 18 software update. With this standalone app, users can access their passwords and other details via a single iOS system app, and it was the company’s first move at making credential management more convenient for users. However, the Passwords app had a serious security flaw that exposed users to potential phishing attacks from attackers who were on the same Wi-Fi network, which the Cupertino-based tech giant has now reportedly fixed.
What was the security flaw?
According to a new report by 9to5Mac, for nearly three months, the Apple Passwords app was fetching website icons and opening password reset pages using unencrypted HTTP connections, as revealed by the Mysk researchers. Thankfully, according to the company's updated support document, the first patch for the Passwords app on the latest iOS 18.2 update fixed two flaws that allowed a user in a privileged network position to leak sensitive information and alter network traffic.
Moreover, this earlier version of the Passwords app directed the device to load a phishing website instead of a legitimate one. Further, if a user subsequently opens the webpage, they might enter their credentials on this fraudulent website. In a demo, Mysk researchers showed how attackers on public networks, such as in malls or airports, could hijack HTTP requests and redirect users to convincing fake login pages.
The cybersecurity firm reported the issue to Apple in September, and Apple's revised support document reveals that it rolled out fixes for the issue with the stable iOS 18.2 update in December.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
