A worrying Apple Password App vulnerability reportedly left users exposed for months

News
By published

Users were at risk of phishing attacks for three months

A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
(Image credit: Getty Images)
  • Apple's Password App has been patched after a vulnerability was discovered
  • The flaw left users exposed for three months, experts claim
  • Users were at risk of social engineering attacks

A bug in the iOS 18.2 Passwords app which left users vulnerable to phishing attacks for over three months after its release, has been fixed, according to an update from Apple.

The flaw was discovered after security researchers at Mysk noticed that their device’s App Privacy Report showed the Passwords App had contacted 130 different websites over insecure HTTP traffic.

The app used the HTTP protocol instead of a more secure HTTPS when opening links and downloading app icons. Upon further investigation, the researchers found that the app also defaulted to opening password reset pages with the unencrypted protocol. This left users vulnerable as an attacker “privileged network access could intercept the HTTP request and redirect the user to a phishing website,” the researchers told 9to5Mac.

Patch now

The risk in this attack is that cybercriminals will use the vulnerability to carry out social engineering attacks by redirecting victims to insecure websites.

The Password app will now use HTTPS for all connections by default - so ensure your Apple devices are all updated and using iOS 18.2 or later.

Research has shown security attacks on password managers have soared in recent months, with reports finding a threefold increase in malware that targets credentials in password stores.

The attacks are also growing in sophistication , with cybercriminals prioritizing “complex, prolonged, multi-stage attacks” delivered with an all-new generation of malware. This new malware, like infostealers, comes with more persistence, stealth, and automation.

The best, and most secure, password manager tools will safely store, generate, and crucially autofill your website and app passwords. These can help you create and manage your unique and strong passwords without the hassle of having to remember each one.

You might also like

Ellen Jennings-Trace
Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.