Apple Passwords left users open to targeted phishing attacks
From iOS 18 when the Passwords app debuted to the iOS 18.2 update, users could have exposed passwords to a bad actor on a privileged network, but you’re likely safe.
Apple released iOS 18 in September 2024 with the new Passwords app, but it relied on the less secure HTTP protocol, not HTTPS, when opening links or fetching icons. This meant a bad actor on a privileged network could intercept the HTTP request and redirect users to a fake website and harvest the login.
Security research company Mysk uncovered this issue and reported it to Apple in September, and the Passwords app was patched in December with iOS 18.2. That means the vulnerability was live in the wild for those three months and continued to be for anyone running a release prior to iOS 18.2.
Apple didn’t disclose the vulnerability or patch until March 17, 2025 — which was discovered by 9to5Mac. This was likely to protect users that still hadn’t updated and keep the issue under wraps until a certain threshold was reached.
If anyone is still running anything prior to iOS 18.2, they should update ASAP. However, it is highly unlikely anyone was targeted with the vulnerability due to the specificity of the attack vector.
In order to expose your passwords via the Apple Passwords app, the user would need to:
- Be on a Wi-Fi network where bad actors could also be, like a coffee shop or airport.
- The bad actor would need to know of the vulnerability and actively try to exploit it.
- The user would need to open Apple Passwords, open a password, then tap a link in the app to redirect to a login from the Passwords app.
- The bad actor would need to be looking for this and intercept the traffic, swapping in a fake login page for the website you’re trying to reach.
The Passwords app was not vulnerable when being used to sign into apps or websites using the autofill function. It only occurred when launching a login page from the app.
General use of the Passwords app outside of a network infiltrated by a bad actor was harmless, as HTTP requests would be 301 redirected to HTTPS automatically. There is little chance of the vulnerability being exploited in the wild.
What to do about the Passwords app vulnerability
If you’re concerned at all by this vulnerability, there are a couple of steps you can take today. The most obvious one is to update all your device operating systems to the latest version.
Think back to your use of the Passwords app. If you have never changed a password or tried to log in using a link from the Passwords app, or didn’t even realize that was possible, then you’re fine.
If you’re still concerned, it’s never a bad idea to go change the password for some of your more sensitive accounts. Go update passwords for your bank, email, work, and other significant accounts.
