Apple fixes Passwords app security bug with new 18.2 update

News
By
published

Make sure to update to the latest 18.2 operating system version to patch the fix

The Apple logo is seen with the iOS 18 operating system logo in the background on a mobile device
(Image credit: Photo by Jaap Arriens/NurPhoto via Getty Images)

Apple has finally fixed a security bug with its new password manager app which could have put your data at risk.

The provider first introduced Passwords with the long-awaited iOS 18 update as a built-in application to help you manage your login details and alert you if they're compromised in a data breach. Developer and security researcher Tommy Mysk, however, found a vulnerability in its system soon after the launch.

Apple confirmed that the new 18.2 operating system update has solved the issue that an attacker could have exploited to "alter network traffic. " Mysk now urges everyone to upgrade all their Apple devices to the latest version to patch the critical issue as soon as possible.

iOS 18.2 security update

"Since iOS 18 launched, the new Passwords app has been using unencrypted HTTP to download icons for password entries – a potential security risk. We reported this bug to Apple in September, and it’s finally fixed in iOS 18.2 (CVE-2024-54492)," Mysk wrote on X on Wednesday, December 11, 2024.

HTTP (Hypertext Transfer Protocol) refers to a set of rules that allow us to communicate data on the Internet and is used to load webpages. As the iOS expert explains (see video below), malicious networks can easily intercept and manipulate insecure HTTP.

The problem was that every time you added a new password, Passwords got the account's icon from the added website (say, gmail.com, for example) and called the website over the insecure HTTP protocol.

"This malicious network overwrites the response to return a custom icon," said Mysk. "Passwords picked the custom icon and showed it in the app. This could be a malicious payload."

iOS #Security: The Passwords app has a serious security bug, UPGRADE to iOS/iPadOS 18.2 macOS 15.2 - YouTube iOS #Security: The Passwords app has a serious security bug, UPGRADE to iOS/iPadOS 18.2 macOS 15.2 - YouTube
Watch On

"This issue was addressed by using HTTPS when sending information over the network," confirmed Apple in its 18.2 security update release.

The Passwords fix is now available for all devices (iPhone and iPad 18.2, as well as macOS Sequoia 15.2) after upgrading to the latest version.

Mysk urges everyone to upgrade their devices as soon as possible, noting that also another security company, Tenable, classified the vulnerability as "critical."

The 18.2 update isn't just about fixing vulnerabilities, though. The release is probably the biggest Apple Intelligence upgrade for iPhone, iPad, and Mac so far, in fact, bringing some of the most-anticipated Apple AI features to devices including Genmoji, Image Playground, and a ChatGPT-powered Siri.

Most notably, Apple Intelligence finally extends its support for Australia, Canada, Ireland, New Zealand, South Africa, and the UK.

TOPICS
Chiara Castro
Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com