- Apple’s Password App has been patched after a vulnerability was discovered
- The flaw left users exposed for three months, experts claim
- Users were at risk of social engineering attacks
A bug in the iOS 18.2 Passwords app which left users vulnerable to phishing attacks for over three months after its release, has been fixed, according to an update from Apple.
The flaw was discovered after security researchers at Mysk noticed that their device’s App Privacy Report showed the Passwords App had contacted 130 different websites over insecure HTTP traffic.
The app used the HTTP protocol instead of a more secure HTTPS when opening links and downloading app icons. Upon further investigation, the researchers found that the app also defaulted to opening password reset pages with the unencrypted protocol. This left users vulnerable as an attacker “privileged network access could intercept the HTTP request and redirect the user to a phishing website,” the researchers told 9to5Mac.
Patch now
The risk in this attack is that cybercriminals will use the vulnerability to carry out social engineering attacks by redirecting victims to insecure websites.
The Password app will now use HTTPS for all connections by default – so ensure your Apple devices are all updated and using iOS 18.2 or later.
Research has shown security attacks on password managers have soared in recent months, with reports finding a threefold increase in malware that targets credentials in password stores.
The attacks are also growing in sophistication , with cybercriminals prioritizing “complex, prolonged, multi-stage attacks” delivered with an all-new generation of malware. This new malware, like infostealers, comes with more persistence, stealth, and automation.
The best, and most secure, password manager tools will safely store, generate, and crucially autofill your website and app passwords. These can help you create and manage your unique and strong passwords without the hassle of having to remember each one.
Leave a comment