Apple has fixed a security flaw in its Passwords app that exposed users to phishing attacks for three months after its launch with iOS 18.
As 9to5Mac reports, the vulnerability was discovered by security researchers at Mysk, who reported it to Apple in September. The app used the HTTP protocol instead of the more secure HTTPS to open links and download app icons. With that approach, “an attacker with privileged network access can easily intercept the HTTP request and redirect the victim to a malicious website controlled by the attacker,” the researchers say.
Apple patched the issue with iOS 18.2 and macOS 15.2. While it was included in a Dec. 11 Mac security content document, it wasn’t added to the iPhone’s document until Monday. “This issue was addressed by using HTTPS when sending information over the network,” Apple says.
The devices at risk included Macs running macOS Sequoia, iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Apple’s password management tool was previously part of Settings before being elevated to app status in September. If you have been using the service to store passwords and unlock apps without entering the password, we recommend updating your software to the latest version.
Recommended by Our Editors
On iPhones, you can go to Settings > General > Software Update. On Macs, you can click on the Apple menu (Apple logo) and go to System Settings > General > Software Update.
On iPhones, installing iOS 18.3.2 will also ensure your device is protected against a zero-day WebKit vulnerability exploited in “extremely sophisticated” attacks.
Like What You’re Reading?
This newsletter may contain advertising, deals, or affiliate links.
By clicking the button, you confirm you are 16+ and agree to our
Terms of Use and
Privacy Policy.
You may unsubscribe from the newsletters at any time.
About Jibin Joseph
Contributor
