A bug in the iOS Passwords app that meant iPhone users were susceptible to potential phishing attacks has been fixed after possibly being present for years.
In a note on its security page, Apple described the issue as one where “a user in a privileged network position may be able to leak sensitive information.” The problem was fixed by using HTTPS when sending information over the network, the tech giant said.
The bug, first discovered by security researchers at Mysk, was reported back in September but appeared to be left unfixed for several months. In a tweet Wednesday, Mysk said Apple Passwords used an insecure HTTP by default since the compromised password detection feature was introduced in iOS 14, which was released back in 2020.
“iPhone users were vulnerable to phishing attacks for years, not months,” Mysk tweeted. “The dedicated Passwords app in iOS 18 was essentially a repackaging of the old password manager that was in the Settings, and it carried along all of its bugs.”
That said, the likelihood of someone falling victim to this bug is very low. The bug was also addressed in security updates for other products, including the Mac, iPad and Vision Pro.
In the caption of a YouTube video posted by Mysk highlighting the issue, the researchers showed how the iOS 18 Passwords app had been opening links and downloading account icons over insecure HTTP by default, making it vulnerable to phishing attacks. The video highlights how an attacker with network access could intercept and redirect requests to a malicious site.
According to 9to5Mac, the issue poses a problem when the attacker is on the same network as the user, such as at a coffee shop or airport, and intercepts the HTTP request before it redirects.
Apple didn’t respond to a request for comment about the issue or provide further details.
Mysk said spotting the bug did not qualify for a monetary bounty because it didn’t meet the impact criteria or fall into any of the eligible categories.
“Yes, it feels like doing charity work for a $3 trillion company,” the company tweeted. “We didn’t do this primarily for money, but this shows how Apple appreciates independent researchers. We had spent a lot of time since September 2024 trying to convince Apple this was a bug. We’re glad it worked. And we’d do it again.”
A potential security slipup
Georgia Cooke, a security analyst at ABI Research, called the issue “not a small-fry bug.”
“It’s a hell of a slip from Apple, really,” Cooke said. “For the user, this is a concerning vulnerability demonstrating failure in basic security protocols, exposing them to a long-standing attack form which requires limited sophistication.”
According to Cooke, most people probably won’t run into this issue because it requires a pretty specific set of circumstances, such as choosing to update your login from a password manager, doing it on a public network and not noticing if you’re being redirected. That said, it’s a good reminder of why keeping your devices updated regularly is so important.
She added that people can take extra steps to protect themselves from these kinds of vulnerabilities, especially on shared networks. This includes routing device traffic through a virtual private network, avoiding sensitive transactions such as credential changes on public Wi-Fi and not reusing passwords.
