Apple Passwords App Bug Left Users Vulnerable to Phishing Attacks for Months Before Being Fixed

[KidAKidB]

Not sure how Apple didn't catch this (or fix this) sooner?

 

[jicon]

And yet you had people on here bragging how they moved all their passwords over to it because Apple cares more about privacy and safety. 😄

Never put all your eggs in one basket. I'd rather trust someone else with my passwords like RoboForm or 1Password, considering that's their main business model; it's certainly not Apple’s.

Definitely good advice. I'd argue the password is a secondary security measure, and geared more towards older security practices. MFA of some kind seems to be (and should be) pushed more. Between two yubikeys, and a half dozen different authenticator apps on my phone, presume keeps most of my accounts a lot more secure than password alone.

 

[KnowsHowItWorks]

People solving the nonproblems. Just don’t reset your password on a public network, ffs.

 

[dominiongamma]

I’ve only used the built-in password manager a handful of times. I primarily rely on 1Password and have been with them since the very start. 🤷‍♂️

Too bad their subscription model kills everything

 

[benroberts3]

This is the issue with Apple apps. They are only updated with an entire iOS software update as opposed to 3rd party developers or even Google in the Play Store whose apps are updated through their stores with bug fixes and new features.

 

[Future Dwight]

If this… and if that… and only if this…. There might be an opportunity to do something.

But it’s fixed now.

When someone comes up who has actually been affected then I’ll join the whingers and complain.

It’s like saying a driver could drive through a red light and cause an accident. But it didn’t happen!!! And until it does.

Amen. You're so right. Forums and social networks are plagued with this type of non-news and people overreacting to it. Most people don't think before posting their comments. Please put things in perspective before posting comments.

 

[nt5672]

It’s indicative of extremely poor coding practices at apple. The fact this made it through code reviews (which we hope are being performed!) is not a good indicator of the quality of product they are releasing nor their development practices. Most major bugs start with something trivial like this that is overlooked.

Apple has been releasing code with poor coding practice for the last 5+ years. This is no surprise. Cook does not understand software and therefore thinks software development can be sourced to the lowest cost country.

 

[sigmasirrus]

That's a problem (and it's been fixed), but it is niche. Someone has to be on the same WiFi network or is in some other way acting as a man-in-the-middle to specifically spoof the intended website. That doesn't make it something to ignore (Apple didn't), but it's something that wouldn't have affected many people. Again, that's niche -- well, probably less than niche.

Apple's programmers shouldn't have been using http, just as Microsoft shouldn't have allowed http connections to live.com, as the team that found this security issue said (comment on their YouTube video): "It's also surprising that Microsoft didn't enforce HTTP Strict Transport Security (HSTS) for its popular domain live.com. Not only Microsoft, we also spotted several other popular services. But we chose live.com for this demo."

Oh wow good point. I didn’t know that they weren’t doing HSTS.

Ugh is it too much to ask for multi hundred billion dollar companies to follow best practices?

 

[sigmasirrus]

Too bad their subscription model kills everything

I feel that if there’s one thing worth giving a company money for, it’s to keep my most important info secure. It’s $3 / month. That’s cheap for what you’re getting! Defending against ongoing threats requires ongoing development.

 

[Chiromac81]

Glad I stayed with 1PASSWORD!!

 

[ugahairydawgs]

And yet you had people on here bragging how they moved all their passwords over to it because Apple cares more about privacy and safety. 😄

Never put all your eggs in one basket. I'd rather trust someone else with my passwords like RoboForm or 1Password, considering that's their main business model; it's certainly not Apple’s.

Agreed. Plus with 1Password it's far more feature rich.

 

[Will Co]

Isn't that a vulnerability, not a bug?

A bug causing a vulnerability?

 

[npmacuser5]

Excessive software change a numbers game that leaves the consumer at risk. The old school slow down to speed up valid.

 

[btrach144]

I assume iCloud private relay wouldn’t work since it’s only for Safari http requests?

 

[rp2011]

YIKES!!!

 

[bousozoku]

This bug is so basic, that Apple must be embarrassed as they should have some of their people verify security when the make their first passwords app, that is going to be used by millions 🫢

For far too long, Apple has been doing software development the Adobe way: add features with fanfare, fix bugs because of news broadcasts.

 

[mattwolfmatt]

1password is worth it. Too much of our lives are tied to password security.

 

[CarAnalogy]

This is what makes this bug so baffling. Unless Apple has some unfettered access the rest of us do not you have to put in work to make this hug happen.

Apple privileges themselves and their apps in nearly every case. It's not new, and it leads to things like this bug and the long list of EU demands that they just received today.

 

[CarAnalogy]

1password is worth it. Too much of our lives are tied to password security.

It also makes me sad that Strongbox was just acquired for this reason. This is why I was encouraged by Passwords, I was hoping for a really good (interoperable!) example to set the standard for something that is no longer optional. But Apple doesn't seem to have much time to iterate their apps anymore. They have too many distractions.

Looks like the only option for a password manager is going to be a subscription to a service sooner rather than later.

KeePass is still too Windows only. Bitwarden seems to be the last holdout but I'm waiting for something to ruin that too.

 

[paulrudy]

KeePass is still too Windows only. Bitwarden seems to be the last holdout but I'm waiting for something to ruin that too.

KeePassium is pretty good as an Apple device-friendly KeePass client. It has a iOS/iPadOS and a MacOS Catalyst app. Not quite as polished as Strongbox, but fully open source. Free + subscription, and Pro version is a one-time purchase.

 

[steve09090]

True

General population sure, however there are criminal groups, governments, and individuals whose job it is to find info about exploits and quickly use them before being reported and fixed. One would hope bug finders all wear white hats and are wealthy enough not to be tempted or threatened by bad actors. Of course that's not the case. After the 26 billion MOAB list it's academic.

I couldn’t stand being so paranoid as to worry about people sitting at my front door, hacking my wifi just to get a password for my light switches.

 

[CarAnalogy]

KeePassium is pretty good as an Apple device-friendly KeePass client. It has a iOS/iPadOS and a MacOS Catalyst app. Not quite as polished as Strongbox, but fully open source. Free + subscription, and Pro version is a one-time purchase.

I bought Strongbox “lifetime” a while ago but turns out lifetime ain’t what it used to be. Assuming the new owners still honor it I’m not sure I’ll still want it.

Not looking forward to having to buy another license just to eventually get screwed again. It may be open source but if someone is receiving money they can sell out and I’ll be in the same boat.

Seems we can either choose between truly free but no promises and paid but also no promises.

 

[splifingate]

Privacy and Security 🤭

Technically--until the 18.2 security update was released--the vulnerability was Private

 

[splifingate]

hacking my wifi just to get a password for my light switches

They actually want access to your EcoB w/Alexa so as to capture all one's post-shower pep-talk convo . . . and the really gritty-narsty stuff, like appointments made with Pest Control and Com-Post-Now techs

 

[steve09090]

I feel that if there’s one thing worth giving a company money for, it’s to keep my most important info secure. It’s $3 / month. That’s cheap for what you’re getting! Defending against ongoing threats requires ongoing development.

$5 a month if you have a partner, but on their website they do advertise as one of their most important features…

• Friendly email support

That’s ground breaking as one of there main features…. They offer nothing I want and can’t get on Apple, plus I get a better cross device experience.

They also have there fair share of breaches and vulnerabilities

"When malware or a malicious user gains full control over a user’s device, there is little that can be done to guarantee its security. We have since addressed the vulnerabilities within our control"​

​

I’m a fan of 1Password, but let’s not pretend they are actually better than Apple.