iOS 18 Passwords App HTTP Vulnerability: A Three-Month Security Flaw Affecting Millions

iOS 18 Passwords App HTTP Vulnerability: A Three-Month Security Flaw Affecting MillionsOn March 18th, 2025, 9to5Mac reported on a significant security vulnerability discovered in Apple's standalone Passwords app, first introduced with iOS 18 in September 2024. Security researchers at Mysk uncovered that the app, until its remediation in iOS 18

iOS 18 Passwords App HTTP Vulnerability: A Three-Month Security Flaw Affecting Millions

On March 18th, 2025, 9to5Mac reported on a significant security vulnerability discovered in Apple's standalone Passwords app, first introduced with iOS 18 in September 2024. Security researchers at Mysk uncovered that the app, until its remediation in iOS 18.2 released in December 2024, communicated with over 130 websites using the insecure HTTP protocol, leaving users vulnerable to phishing attacks for a period of three months.

The vulnerability stemmed from the Passwords app's reliance on HTTP for various functions, including fetching account icons and opening password reset pages. This lack of enforced HTTPS encryption created a critical weakness, particularly for users connecting to public Wi-Fi networks. Mysk's findings highlight the ease with which malicious actors could exploit this flaw.

The attack vector was straightforward. A hacker on a public Wi-Fi network could intercept the initial HTTP requests sent by the Passwords app. This allowed them to redirect users to convincingly forged phishing websites, designed to mimic legitimate services like Microsoft's live.com. Upon entering their credentials on these fraudulent sites, unsuspecting users unknowingly handed over their sensitive information directly to the attackers, enabling further compromises.

The researchers emphasized the severity of the vulnerability. The unencrypted communication exposed users' login credentials and other sensitive information during the password retrieval and initial setup process. The lack of an option to disable the download of account icons further exacerbated the risk, as the app frequently made requests to websites, each opportunity presenting an entry point for an attacker. This constant data exchange using HTTP provided numerous chances for interception and manipulation.

The absence of mandatory HTTPS enforcement in iOS 18 and iOS 18.1 versions of the Passwords app is deeply concerning. The default behavior should have prioritized secure communication, especially given the sensitive nature of the data being handled. The lack of user control over icon downloads also highlights a design flaw, as users had no way to mitigate the inherent risks associated with the insecure protocol.

Apple's failure to implement HTTPS by default in the initial release of the Passwords app represents a significant oversight. This lapse in security protocols exposed a large user base to potentially devastating consequences. The potential for compromised accounts, identity theft, and financial fraud underscores the gravity of the situation.

The remediation, finally implemented in iOS 18.2, corrected the vulnerability by enforcing HTTPS encryption for all communications. This crucial change ensured that future interactions with websites are protected, safeguarding user data. The update, released on December 2024, and documented in a March 17th, 2025 update log, effectively patched the security hole and mitigated the risk of future attacks.

The incident serves as a stark reminder of the importance of robust security measures in applications handling sensitive personal data. Apple's delayed implementation of HTTPS encryption demonstrates the need for rigorous testing and security reviews during the development lifecycle. The three-month window of vulnerability underscores the potential for significant damage when even seemingly minor security flaws are overlooked.

The discovery and subsequent remediation of this vulnerability highlight the persistent challenges in ensuring the security of even the most widely used software. The vulnerability's existence, lasting for three months before being addressed, further underscores the challenges in balancing the rapid evolution of software updates with the need for a thorough and meticulous approach to security.

The impact of this vulnerability extended beyond the inconvenience of a security update. It represents a breach of user trust, requiring a renewed focus on security protocols and a strengthened commitment to user data protection. The incident should serve as a lesson for developers and manufacturers alike, emphasizing the critical importance of prioritizing security throughout the software development process. The vulnerability's prolonged existence highlights the need for more proactive security measures, including rigorous testing and prompt patching of discovered flaws.

The security researchers at Mysk played a crucial role in identifying and reporting this vulnerability. Their dedicated efforts in uncovering this issue helped prevent further exploitation and protected countless users from potential harm. Their prompt reporting and Apple's eventual response highlight the importance of collaboration between security researchers and technology companies in safeguarding user data.

The successful remediation of the vulnerability in iOS 18.2 offers a degree of closure, but it also serves as a compelling case study in the ongoing challenges of software security. The vulnerability's existence, and the period of time it remained unpatched, underscores the need for continuous vigilance and proactive security measures in the ever-evolving landscape of technology. This incident should prompt further investigation into the processes surrounding the initial release of iOS 18 and the Passwords application, ensuring similar vulnerabilities are effectively mitigated in future releases.