A bug in the iOS Passwords app that left iPhone users vulnerable to potential phishing attacks has been fixed by Apple after possibly being present for years. The issue, reported by security researchers at Mysk, allowed a user in a privileged network position to leak sensitive information. The bug was fixed by using HTTPS when sending information over the network. Mysk highlighted the issue in a YouTube video showing how the iOS 18 Passwords app opened links and downloaded account icons over insecure HTTP, making it susceptible to phishing attacks.
The bug was first reported back in September but remained unfixed for several months until Apple addressed it in security updates for various products, including the iPhone, Mac, iPad, and Vision Pro. Mysk pointed out that the problem with the Passwords app in iOS 18 was essentially a repackaging of the old password manager in Settings, carrying along all of its bugs. The researchers noted that iPhone users were vulnerable to phishing attacks for years due to the use of insecure HTTP by default since the compromised password detection feature was introduced in iOS 14.
While the likelihood of falling victim to this bug is low, it demonstrated a significant security slip-up on Apple’s part. Georgia Cooke, a security analyst at ABI Research, called the issue a concerning vulnerability that exposes users to a long-standing attack form which requires limited sophistication. Cooke emphasized the importance of keeping devices updated regularly as a way to mitigate the risks of such vulnerabilities. She also recommended taking extra steps to protect against potential threats, such as routing device traffic through a virtual private network and avoiding sensitive transactions on public Wi-Fi.
Mysk stated that their discovery of the bug did not qualify for a monetary bounty because it did not meet the impact criteria or fall into any eligible categories. The researchers pointed out that they had spent a significant amount of time trying to convince Apple that this was a bug before it was finally addressed, emphasizing that independent researchers play a crucial role in identifying and reporting security issues to improve overall cybersecurity. Apple did not respond to requests for comment on the issue or provide further details about how it was fixed.
In conclusion, the bug in the iOS Passwords app that left iPhone users vulnerable to phishing attacks has been fixed by Apple after possibly being present for years. The issue, discovered by security researchers at Mysk, allowed sensitive information to be leaked by a user in a privileged network position. While the likelihood of falling victim to this bug is low, it demonstrated a significant security slip-up on Apple’s part. Regularly updating devices and taking precautions on shared networks can help protect against potential threats and vulnerabilities. Independent researchers like Mysk play a crucial role in identifying and reporting security issues to improve overall cybersecurity.
