Apple Passwords App Bug Left Users Vulnerable to Phishing Attacks for Months Before Being Fixed

[MacRumors]

Apple fixed a bug in its Passwords app with December's iOS 18.2 update that had left users vulnerable to phishing attacks in the three months since the launch of iOS 18.

According to an Apple security update spotted by 9to5Mac, the Passwords app was sending unencrypted requests for the logos and icons associated with users' stored passwords.

Without protections of encryption, an attacker on the same Wi-Fi network could redirect a user's browser to a clone phishing site where login details could be stolen. The vulnerability was first discovered by developer Mysk's security researchers and reported in September.

Apple's iOS 18.2 security release notes described the bug like so:

Impact: A user in a privileged network position may be able to leak sensitive information

Description: This issue was addressed by using HTTPS when sending information over the network.

Apple lists the bug in security content updates for the Mac, iPad, and Vision Pro, indicating that this issue was fixed across multiple OSes.

Article Link: Apple Passwords App Bug Left Users Vulnerable to Phishing Attacks for Months Before Being Fixed

 

[iBluetooth]

This bug is so basic that Apple must be embarrassed, as they should have some of their people verify security when they make their first passwords app, which is going to be used by millions 🫢

 

[code-m]

Privacy and Security 🤭

 

[code-m]

This bug is so basic, that Apple must be embarrassed as they should have some of their people verify security when the make their first passwords app, that is going to be used by millions 🫢

Needs to be on the local wifi network, if you are using public wifi even at school or work the potential of being compromised would be there. If only at home no biggy unless your neighbours are creeps.

 

[steve09090]

If this… and if that… and only if this…. There might be an opportunity to do something.

But it’s fixed now.

When someone comes up who has actually been affected then I’ll join the whingers and complain.

It’s like saying a driver could drive through a red light and cause an accident. But it didn’t happen!!! And until it does.

 

[MrRom92]

And through all the betas of iOS 18 nobody caught this

 

[steve09090]

And through all the betas of iOS 18 nobody caught this

No because it’s so niche and never actually caused an issue.

Unless your mates are salivating over you downloading a picture in your passwords app, it would never get picked up and never be a realistic problem.

 

[code-m]

And through all the betas of iOS 18 nobody caught this

What’s surprising is the lack of HTTPS?

For this to work one must have knowledge of the vulnerability then create a fake website and hope the conditions are correct to exploit. Is it possible; yes, is it probable; no

 

[winxmac]

One advantage of android over iOS is you can update core apps without waiting for a system software update.

iOS is still the go to for getting early access to apps and the consistent quality of photos and videos whether you are using Apple default camera app or non-Apple apps like instagram, snapchat, etc.

 

[steve09090]

One advantage of android over iOS is you can update core apps without waiting for a system software update.

iOS is still the go to for getting early access to apps and the consistent quality of photos and videos whether you are using Apple default camera app or non-Apple apps like instagram, snapchat, etc.

Is that an advantage when we know many vulnerabilities are accessed through apps?

 

[Will Co]

What’s surprising is the lack of HTTPS?

For this to work one must have knowledge of the vulnerability then create a fake website and hope the conditions are correct to exploit. Is it possible; yes, is it probable; no

Indeed. The bug isn't leaking username or password information, but it is leaking a list of websites at which the user has an account, so that is useful information. On it's own, not going to cause anyone any major nightmares and it is hacking at a relatively small scale where the bad actor needs to be on a local network where there are Apple devices.

 

[guci0]

More RAINBOWS++ /s

 

[Unami]

Isn't that a vulnerability, not a bug?

 

[TechWhisperer]

Tim was so caught up in promoting Ted Lasso and Severance that he overlooked the fact that privacy is a cornerstone of Apple’s business. SMH.

 

[Skyscraperfan]

So you put all your eggs into a very a very secure basket and then the whole basket is stolen.

 

[SAIRUS]

Seems like the senior developer and the management are not the same person at Apple….

 

[Pitogyro]

There's only so many rescources they have and there was genmoji to launch.

 

[neuropsychguy]

It’s good this security issue was fixed, but the probability that it would be exploited was less than tiny, even on public WiFi networks. That means the real world implications were negligible. It’s addressed now. Move along and stop worrying about this issue.

Edit: In case people are just reading the first page and down/up-voting based on an incomplete discussion, here's what I have in a later comment:

Someone has to be on the same WiFi network or is in some other way acting as a man-in-the-middle to specifically spoof the intended website. That doesn't make it something to ignore (Apple didn't), but it's something that wouldn't have affected many or any people.

Apple's programmers shouldn't have been using http, just as Microsoft should have forced https connections to live.com, as the team that found this security issue said (comment on their YouTube video): "It's also surprising that Microsoft didn't enforce HTTP Strict Transport Security (HSTS) for its popular domain live.com. Not only Microsoft, we also spotted several other popular services. But we chose live.com for this demo."

That's not to blame Microsoft and not Apple, but this issue isn't only affecting Apple. It was, again, not a major issue (which doesn't mean it was not an issue).

 

[wanha]

If this… and if that… and only if this…. There might be an opportunity to do something.

But it’s fixed now.

When someone comes up who has actually been affected then I’ll join the whingers and complain.

It’s like saying a driver could drive through a red light and cause an accident. But it didn’t happen!!! And until it does.

Did you just say that you'll only complain about people driving through red lights once they cause an accident?

 

[wanha]

Tim was so caught up in promoting Ted Lasso and Severance that he overlooked the fact that privacy is a cornerstone of Apple’s business. SMH.

wait... you actually believe this?

 

[Fuzzball84]

If they fixed these bugs before they got around causing havoc we would avoid all of these fishing attacks. The alliance between the bugs and fish has proven rather annoying.

 

[MasterControlProgram]

The thing about the app downloading icons via http is a bit of a red herring, it was the clue for some security researchers to look at what the app was doing but it isn't the main issue. Although revealing you have an account with a website by requesting the icons over http is definitely a privacy fail.

From reading the description of what the researchers found, the main problem is if someone wanted to reset their password on a website by using the reset link provided in the Passwords app. The app wasn't using https for these links, so if this was done on a public wifi network then someone could intercept the traffic and serve fake password reset pages. Probably a less common issue in the age of 5G connections, but certainly worth fixing once it was found.

 

[Radeon85]

And yet you had people on here bragging how they moved all their passwords over to it because Apple cares more about privacy and safety. 😄

Never put all your eggs in one basket. I'd rather trust someone else with my passwords like RoboForm or 1Password, considering that's their main business model; it's certainly not Apple’s.

 

[chrono1081]

This bug is so basic, that Apple must be embarrassed as they should have some of their people verify security when the make their first passwords app, that is going to be used by millions 🫢

This is what happens when you favor leetcode over real experience during the hiring process. You get people who miss the absolute basics of security.

 

[swm]

Needs to be on the local wifi network, if you are using public wifi even at school or work the potential of being compromised would be there. If only at home no biggy unless your neighbours are creeps.

public wifi networks (usually) have client-to-client communication blocking, that is you can only send frames to the AP.
in theory - if the SSID is only protected by PSK, that is by default shared across all connected devices, hence it's name - you could record the radio communication and decrypt it later.

a good way to capitalise on this vulnerability would be to have iOT like devices on your home network from shady sources.