Apple's Passwords App Had a Security Flaw That Exposed Users to Phishing Attacks for Three Months

Apple's revised release notes for the iOS 18.2 update reveal that it patched two issues related to its Passwords app.

Written by David Delima | Updated: 19 March 2025 15:30 IST

Highlights

Apple fixed two flaws with its Passwords app on iOS 18.2
iOS 18.1 rolled out to users in December 2024
Apple has updated its release notes to detail the security fixes

Apple's Passwords App Had a Security Flaw That Exposed Users to Phishing Attacks for Three Months

Apple introduced a standalone Passwords app on iOS 18

Photo Credit: Pexels/ Antoni Shkraba

Apple released a dedicated Passwords app last year, as part of the iOS 18 software update. Instead of a menu inside the Settings app, users can access their passwords and other details via a standalone app. However, the Passwords app had a serious security flaw that exposed users to potential phishing attacks from attackers who were on the same Wi-Fi network. The company recently disclosed that it fixed the security flaw three months after iOS 18 was released.

Apple Fixed Passwords App Vulnerability With iOS 18.2 Update

The iPhone maker recently amended its release notes (via 9to5Mac) for the iOS 18.2 update, which was released in December. The document now includes two entries, both titled 'Passwords', that describe fixes for the app. Apple has credited Mysk security researchers Talal Haj Bakry and Tommy Mysk with identifying the security vulnerability.

According to the company's updated support document, the first patch for the Passwords app on iOS 18.2 fixed two flaws that allowed a user in a privileged network position to leak sensitive information, and alter network traffic.

The Mysk researchers discovered that Apple's Passwords app wasn't using encrypted connections (HTTPS) when fetching details of specific sites, such as site icons. Similarly, password reset pages were loaded over HTTP.

The same flaw would allow an attacker on the same Wi-Fi network to intercept the network request, and direct the device to load a phishing website instead of the legitimate one. If the user trusts the webpage, they might enter their credentials on the fraudulent website.

The cybersecurity firm reported the issue to Apple in September, and Apple's revised support document reveals that it rolled out fixes for the issue with iOS 18.2 in December. Eligible iPhone and iPad models that are running on iOS 18.2 and iPadOS 18.2 or newer versions should not be vulnerable to the flaw.

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.