A worrying Apple Password App vulnerability reportedlyleft users exposed for months

News
By published

Users were at risk of phishing attacks for three months

A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
(Image credit: Getty Images)
  • Apple's Password App has been patched after a vulnerability was discovered
  • The flaw left users exposed for three months, experts claim
  • Users were at risk of social engineering attacks

A bug in the iOS 18.2 Passwords app which left users vulnerable to phishing attacks for over three months after its release, has been fixed, according to an update from Apple.

The flaw was discovered after security researchers at Mysk noticed that their device’s App Privacy Report showed the Passwords App had contacted 130 different websites over insecure HTTP traffic.

The app used the HTTP protocol instead of a more secure HTTPS when opening links and downloading app icons. Upon further investigation, the researchers found that the app also defaulted to opening password reset pages with the unencrypted protocol. This left users vulnerable as an attacker “privileged network access could intercept the HTTP request and redirect the user to a phishing website,” the researchers told 9to5Mac.

Patch now

The risk in this attack is that cybercriminals will use the vulnerability to carry out social engineering attacks by redirecting victims to insecure websites.

The Password app will now use HTTPS for all connections by default - so ensure your Apple devices are all updated and using iOS 18.2 or later.

Research has shown security attacks on password managers have soared in recent months, with reports finding a threefold increase in malware that targets credentials in password stores.

The attacks are also growing in sophistication , with cybercriminals prioritizing “complex, prolonged, multi-stage attacks” delivered with an all-new generation of malware. This new malware, like infostealers, comes with more persistence, stealth, and automation.

The best, and most secure, password manager tools will safely store, generate, and crucially autofill your website and app passwords. These can help you create and manage your unique and strong passwords without the hassle of having to remember each one.

You might also like

Ellen Jennings-Trace
Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Apple Siri
Update your Apple device now: iOS 18.3.2 fixes a flaw that could be exploited by hackers
An iPhone with a 10:30am alarm ringing next to an Apple Watch that displays the time as 12:42pm
Apple warns "extremely sophisticated attack" hits iPhones and iPads, so update now
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
Apple's new "Share Item Location" feature for AirTags.
Apple security alert - zero-day patched, so update your devices now
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
A person at a laptop with a cybersecure lock symbol floating above it.
Parallels Desktop has some worrying security flaws for Mac users
Latest in Security
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
AI tools.
Not even fairy tales are safe - researchers weaponise bedtime stories to jailbreak AI chatbots and create malware
Data leak
Top California sperm bank suffers embarrassing leak
An Android phone being held in the hand
These malicious Android apps were installed over 60 million times - here's how to stay safe
ransomware avast
Billions of credentials were stolen from businesses around the world in 2024
Latest in News
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years
The Nanoleaf PC Screen Mirror Lightstrip being used on a desktop computer.
Mac gaming could get an intriguing boost – but not in the way you'd expect
Snapdragon G Series
Qualcomm poised to muscle in on AMD's territory with powerful gaming handheld processors
David running in the desert in House of David.
Prime Video’s hit new historical drama will continue its reign for another season as House of David gets renewed
Student sat at a desk with a laptop in a dormitory looking at a mobile phone
Windows 11 could eventually help you understand how fast your PC is - as well as offer tips for making your PC or laptop faster for free
More about security
DeepSeek

Fake DeepSeek installers are infecting your device with dangerous malware
Data leak

Top California sperm bank suffers embarrassing leak
PlayAI

What is PlayAI: Everything we know about this text-to-speech, voice-cloning platform
See more latest
Most Popular
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
The new KontrolFreek Call of Duty Performance Thumbsticks on a purple background.
Exclusive: the new KontrolFreek Call of Duty Performance Thumbsticks Speed Cola Edition might be the coolest looking yet and come with a limited in-game item
David running in the desert in House of David.
Prime Video’s hit new historical drama will continue its reign for another season as House of David gets renewed
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years
The Nanoleaf PC Screen Mirror Lightstrip being used on a desktop computer.
Mac gaming could get an intriguing boost – but not in the way you'd expect
Data leak
Top California sperm bank suffers embarrassing leak
Snapdragon G Series
Qualcomm poised to muscle in on AMD's territory with powerful gaming handheld processors
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Thursday, March 20 (game #382)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Thursday, March 20 (game #648)
Quordle on a smartphone held in a hand
Quordle hints and answers for Thursday, March 20 (game #1151)