A bug in the iOS Password app means that iPhone users may fix a potential phishing attack after years of occurrence.
In a comment on its security page, Apple describes the issue as an issue where “a privileged network location may be able to leak sensitive information.” The tech giant says it uses HTTP to solve the problem when sending information over the network.
The error was first discovered by security researchers at MYSK and was reportedly reported in September but appears to be fixed for several months. In a tweet on Wednesday, Mysk said Apple passwords use unsafe HTTP by default, as the compromised password detection feature was introduced in iOS 14, which was released in 2020.
“Iphone users are vulnerable to phishing attacks,” Mysk tweeted. “The dedicated password app in iOS 18 is essentially repackaged, the app is an old password manager in the settings, and it carries all its errors.”
That is, the chances of someone getting caught in this error are very low. The bug was also fixed in security updates for other products, including Mac, iPad, and Vision Pro.
In the title of a YouTube video posted by Mysk, the researchers show how the iOS 18 password app opens a link and downloads an account icon by default, making it vulnerable to phishing attacks. The video highlights how an attacker with network access intercepts and redirects requests to a malicious website.
According to 9TO5MAC, when an attacker is on the same network as a user (such as in a coffee shop or an airport), the issue raises questions and intercepts HTTP requests before redirecting.
Apple did not respond to a request for comment on the issue or provided more details.
Mesk said the error was found not eligible for a monetary bounty because it did not meet the impact criteria and did not fall into any qualified category.
“Yes, it feels like doing charity work for a $3 trillion company,” the company said on Twitter. “We don’t do it primarily for money, but it shows how Apple appreciates independent researchers. We’ve spent a lot of time trying to convince Apple that it’s a mistake. We’re glad it worked. We’ll do it again.”
Potential safe sliding
Georgia Cooke, a security analyst at ABI Research, called the issue “not a small bug.”
“It’s Apple’s slip-away, indeed,” Cook said. “For users, it’s a vulnerability that proves a failure in the basic security protocol, exposing it to a long-standing form of attack, which requires limited complexity.”
According to Cook, most people may not encounter this problem because it requires a very specific set of situations like choosing to log in from a password manager on a public network without paying attention to whether you are being redirected. That said, this is a good reminder of why it is so important to update your device regularly.
She added that people can take additional steps to protect themselves from such vulnerabilities, especially on shared networks. This includes routing device traffic over a virtual private network, avoiding sensitive transactions such as credential changes for public Wi-Fi and not reusing passwords.
