The iOS 18 came with a unique spin-off of Apple’s password management tool stored in settings. This new standalone platform dubbed passwords was the iPhone maker’s first chance to make credential management so much more useful for so many users.
It’s now been shared that a serious HTTP bug left plenty of them vulnerable to phishing attacks for about three months from the release of iOS 18 until we saw a patch arrive for iOS 18.2.
The news comes to us thanks to security experts at Mysk who first highlighted this flaw after findings from Apple’s App Privacy Report showed some alarming statistics. It ended up contacting up to 130 different web pages over the insecure HTTP traffic. This prompted the duo to carry out more investigations. That is when it was shared how the app was getting account logos and icons over the HTTP but also defaulting to opening up new reset pages for passwords through the unencrypted protocol.
This leaves the user so much more vulnerable and the attacker gets exclusive access that might intercept the HTTP request and redirect people to other phishing pages. Many were so surprised that the tech giant did not enforce this HTTPS by default for such sensitive platforms. Furthermore, Apple needs to provide options for those who are privacy-conscious so that they can disable downloading icons as a whole.
Many modern websites enable unencrypted HTTP connections but then redirect those to HTTPS via the 301 redirect. It’s imperative to mention that while this app before the iOS 18.2 launch would make requests over HTTP, it would end up getting redirected towards the safer HTTPS variant.
The issue arises when attackers are linked to similar networks like users and they intercept the actual HTTP request before redirecting them. That is where manipulation of traffic takes place in different ways.
From there onwards, it might manipulate traffic uniquely. As shown by Mysk’s demo, this entails modifying requests for redirects to phishing sites which are similar to Microsoft’s live.com. This is where the attacker can get credentials easily from victims and launch various kinds of other attacks. We saw this get patched in December 2024 silently but the fact that Apple is disclosing it now is major news.
The Passwords apps use HTTPS now by default for various connections so you need to ensure you are running nearly 18.2 on different devices. Now we won’t be too surprised if the facts continue to travel below the radar.
Image: DIW-Aigen
Read next: Warning: 331 Malicious Android Apps on Google Play Store Stealing Credentials — Check Your Device Now!
It’s now been shared that a serious HTTP bug left plenty of them vulnerable to phishing attacks for about three months from the release of iOS 18 until we saw a patch arrive for iOS 18.2.
The news comes to us thanks to security experts at Mysk who first highlighted this flaw after findings from Apple’s App Privacy Report showed some alarming statistics. It ended up contacting up to 130 different web pages over the insecure HTTP traffic. This prompted the duo to carry out more investigations. That is when it was shared how the app was getting account logos and icons over the HTTP but also defaulting to opening up new reset pages for passwords through the unencrypted protocol.
This leaves the user so much more vulnerable and the attacker gets exclusive access that might intercept the HTTP request and redirect people to other phishing pages. Many were so surprised that the tech giant did not enforce this HTTPS by default for such sensitive platforms. Furthermore, Apple needs to provide options for those who are privacy-conscious so that they can disable downloading icons as a whole.
Many modern websites enable unencrypted HTTP connections but then redirect those to HTTPS via the 301 redirect. It’s imperative to mention that while this app before the iOS 18.2 launch would make requests over HTTP, it would end up getting redirected towards the safer HTTPS variant.
The issue arises when attackers are linked to similar networks like users and they intercept the actual HTTP request before redirecting them. That is where manipulation of traffic takes place in different ways.
From there onwards, it might manipulate traffic uniquely. As shown by Mysk’s demo, this entails modifying requests for redirects to phishing sites which are similar to Microsoft’s live.com. This is where the attacker can get credentials easily from victims and launch various kinds of other attacks. We saw this get patched in December 2024 silently but the fact that Apple is disclosing it now is major news.
The Passwords apps use HTTPS now by default for various connections so you need to ensure you are running nearly 18.2 on different devices. Now we won’t be too surprised if the facts continue to travel below the radar.
Read next: Warning: 331 Malicious Android Apps on Google Play Store Stealing Credentials — Check Your Device Now!
