iOS 18 Passwords App HTTP Vulnerability: A Three-Month Security Flaw Affecting Millions

Warning (2): Undefined array key "nsort" [ROOT/plugins/Kuhuang/templates/Websites/view.php, line 430]

          <div class="info"> 
            <span><a href="<?php echo $website_info[0]["nsort"]["nsort_url"];?>"><i class="fa fa-columns"></i><?php echo $website_info[0]["nsort"]["nsort_name"];?></a></span> 
            <span><i class="fa fa-clock-o"></i><?php echo $website_info[0]["submission_date"];?></span>

include - ROOT/plugins/Kuhuang/templates/Websites/view.php, line 430
Cake\View\View::_evaluate() - CORE/src/View/View.php, line 1184
Cake\View\View::_render() - CORE/src/View/View.php, line 1138
Cake\View\View::render() - CORE/src/View/View.php, line 769
Cake\Controller\Controller::render() - CORE/src/Controller/Controller.php, line 762
App\Controller\NewsController::view() - APP/Controller/NewsController.php, line 3938
Cake\Controller\Controller::invokeAction() - CORE/src/Controller/Controller.php, line 539
Cake\Controller\ControllerFactory::handle() - CORE/src/Controller/ControllerFactory.php, line 140
Cake\Controller\ControllerFactory::invoke() - CORE/src/Controller/ControllerFactory.php, line 115
Cake\Http\BaseApplication::handle() - CORE/src/Http/BaseApplication.php, line 317
Cake\Http\Runner::handle() - CORE/src/Http/Runner.php, line 77
Cake\Http\Middleware\CsrfProtectionMiddleware::process() - CORE/src/Http/Middleware/CsrfProtectionMiddleware.php, line 164
Cake\Http\Runner::handle() - CORE/src/Http/Runner.php, line 73
Cake\I18n\Middleware\LocaleSelectorMiddleware::process() - CORE/src/I18n/Middleware/LocaleSelectorMiddleware.php, line 61
Cake\Http\Runner::handle() - CORE/src/Http/Runner.php, line 73
Cake\Http\Middleware\BodyParserMiddleware::process() - CORE/src/Http/Middleware/BodyParserMiddleware.php, line 157
Cake\Http\Runner::handle() - CORE/src/Http/Runner.php, line 73

Notice: file_put_contents() [function.file-put-contents]: Write of 2422 bytes failed with errno=28 No space left on device in /www/wwwroot/www.adminso.com/vendor/cakephp/cakephp/src/Log/Engine/FileLog.php on line 140

Warning (2): Trying to access array offset on value of type null [ROOT/plugins/Kuhuang/templates/Websites/view.php, line 430]Code Context          <div class="info"> 
            <span><a href="<?php echo $website_info[0]["nsort"]["nsort_url"];?>"><i class="fa fa-columns"></i><?php echo $website_info[0]["nsort"]["nsort_name"];?></a></span> 
            <span><i class="fa fa-clock-o"></i><?php echo $website_info[0]["submission_date"];?></span> 
include - ROOT/plugins/Kuhuang/templates/Websites/view.php, line 430
Cake\View\View::_evaluate() - CORE/src/View/View.php, line 1184
Cake\View\View::_render() - CORE/src/View/View.php, line 1138
Cake\View\View::render() - CORE/src/View/View.php, line 769
Cake\Controller\Controller::render() - CORE/src/Controller/Controller.php, line 762
App\Controller\NewsController::view() - APP/Controller/NewsController.php, line 3938
Cake\Controller\Controller::invokeAction() - CORE/src/Controller/Controller.php, line 539
Cake\Controller\ControllerFactory::handle() - CORE/src/Controller/ControllerFactory.php, line 140
Cake\Controller\ControllerFactory::invoke() - CORE/src/Controller/ControllerFactory.php, line 115
Cake\Http\BaseApplication::handle() - CORE/src/Http/BaseApplication.php, line 317
Cake\Http\Runner::handle() - CORE/src/Http/Runner.php, line 77
Cake\Http\Middleware\CsrfProtectionMiddleware::process() - CORE/src/Http/Middleware/CsrfProtectionMiddleware.php, line 164
Cake\Http\Runner::handle() - CORE/src/Http/Runner.php, line 73
Cake\I18n\Middleware\LocaleSelectorMiddleware::process() - CORE/src/I18n/Middleware/LocaleSelectorMiddleware.php, line 61
Cake\Http\Runner::handle() - CORE/src/Http/Runner.php, line 73
Cake\Http\Middleware\BodyParserMiddleware::process() - CORE/src/Http/Middleware/BodyParserMiddleware.php, line 157
Cake\Http\Runner::handle() - CORE/src/Http/Runner.php, line 73

Notice: file_put_contents() [function.file-put-contents]: Write of 2446 bytes failed with errno=28 No space left on device in /www/wwwroot/www.adminso.com/vendor/cakephp/cakephp/src/Log/Engine/FileLog.php on line 140
">

Warning (2): Undefined array key "nsort" [ROOT/plugins/Kuhuang/templates/Websites/view.php, line 430]Code Context          <div class="info"> 
            <span><a href="<?php echo $website_info[0]["nsort"]["nsort_url"];?>"><i class="fa fa-columns"></i><?php echo $website_info[0]["nsort"]["nsort_name"];?></a></span> 
            <span><i class="fa fa-clock-o"></i><?php echo $website_info[0]["submission_date"];?></span> 
include - ROOT/plugins/Kuhuang/templates/Websites/view.php, line 430
Cake\View\View::_evaluate() - CORE/src/View/View.php, line 1184
Cake\View\View::_render() - CORE/src/View/View.php, line 1138
Cake\View\View::render() - CORE/src/View/View.php, line 769
Cake\Controller\Controller::render() - CORE/src/Controller/Controller.php, line 762
App\Controller\NewsController::view() - APP/Controller/NewsController.php, line 3938
Cake\Controller\Controller::invokeAction() - CORE/src/Controller/Controller.php, line 539
Cake\Controller\ControllerFactory::handle() - CORE/src/Controller/ControllerFactory.php, line 140
Cake\Controller\ControllerFactory::invoke() - CORE/src/Controller/ControllerFactory.php, line 115
Cake\Http\BaseApplication::handle() - CORE/src/Http/BaseApplication.php, line 317
Cake\Http\Runner::handle() - CORE/src/Http/Runner.php, line 77
Cake\Http\Middleware\CsrfProtectionMiddleware::process() - CORE/src/Http/Middleware/CsrfProtectionMiddleware.php, line 164
Cake\Http\Runner::handle() - CORE/src/Http/Runner.php, line 73
Cake\I18n\Middleware\LocaleSelectorMiddleware::process() - CORE/src/I18n/Middleware/LocaleSelectorMiddleware.php, line 61
Cake\Http\Runner::handle() - CORE/src/Http/Runner.php, line 73
Cake\Http\Middleware\BodyParserMiddleware::process() - CORE/src/Http/Middleware/BodyParserMiddleware.php, line 157
Cake\Http\Runner::handle() - CORE/src/Http/Runner.php, line 73

Warning (2): Trying to access array offset on value of type null [ROOT/plugins/Kuhuang/templates/Websites/view.php, line 430]Code Context          <div class="info"> 
            <span><a href="<?php echo $website_info[0]["nsort"]["nsort_url"];?>"><i class="fa fa-columns"></i><?php echo $website_info[0]["nsort"]["nsort_name"];?></a></span> 
            <span><i class="fa fa-clock-o"></i><?php echo $website_info[0]["submission_date"];?></span> 
include - ROOT/plugins/Kuhuang/templates/Websites/view.php, line 430
Cake\View\View::_evaluate() - CORE/src/View/View.php, line 1184
Cake\View\View::_render() - CORE/src/View/View.php, line 1138
Cake\View\View::render() - CORE/src/View/View.php, line 769
Cake\Controller\Controller::render() - CORE/src/Controller/Controller.php, line 762
App\Controller\NewsController::view() - APP/Controller/NewsController.php, line 3938
Cake\Controller\Controller::invokeAction() - CORE/src/Controller/Controller.php, line 539
Cake\Controller\ControllerFactory::handle() - CORE/src/Controller/ControllerFactory.php, line 140
Cake\Controller\ControllerFactory::invoke() - CORE/src/Controller/ControllerFactory.php, line 115
Cake\Http\BaseApplication::handle() - CORE/src/Http/BaseApplication.php, line 317
Cake\Http\Runner::handle() - CORE/src/Http/Runner.php, line 77
Cake\Http\Middleware\CsrfProtectionMiddleware::process() - CORE/src/Http/Middleware/CsrfProtectionMiddleware.php, line 164
Cake\Http\Runner::handle() - CORE/src/Http/Runner.php, line 73
Cake\I18n\Middleware\LocaleSelectorMiddleware::process() - CORE/src/I18n/Middleware/LocaleSelectorMiddleware.php, line 61
Cake\Http\Runner::handle() - CORE/src/Http/Runner.php, line 73
Cake\Http\Middleware\BodyParserMiddleware::process() - CORE/src/Http/Middleware/BodyParserMiddleware.php, line 157
Cake\Http\Runner::handle() - CORE/src/Http/Runner.php, line 73

iOS 18 Passwords App HTTP Vulnerability: A Three-Month Security Flaw Affecting MillionsOn March 18th, 2025, 9to5Mac reported on a significant security vulnerability discovered in Apple's standalone Passwords app, first introduced with iOS 18 in September 2024. Security researchers at Mysk uncovered that the app, until its remediation in iOS 18

iOS 18 Passwords App HTTP Vulnerability: A Three-Month Security Flaw Affecting Millions

On March 18th, 2025, 9to5Mac reported on a significant security vulnerability discovered in Apple's standalone Passwords app, first introduced with iOS 18 in September 2024. Security researchers at Mysk uncovered that the app, until its remediation in iOS 18.2 released in December 2024, communicated with over 130 websites using the insecure HTTP protocol, leaving users vulnerable to phishing attacks for a period of three months.

The vulnerability stemmed from the Passwords app's reliance on HTTP for various functions, including fetching account icons and opening password reset pages. This lack of enforced HTTPS encryption created a critical weakness, particularly for users connecting to public Wi-Fi networks. Mysk's findings highlight the ease with which malicious actors could exploit this flaw.

The attack vector was straightforward. A hacker on a public Wi-Fi network could intercept the initial HTTP requests sent by the Passwords app. This allowed them to redirect users to convincingly forged phishing websites, designed to mimic legitimate services like Microsoft's live.com. Upon entering their credentials on these fraudulent sites, unsuspecting users unknowingly handed over their sensitive information directly to the attackers, enabling further compromises.

The researchers emphasized the severity of the vulnerability. The unencrypted communication exposed users' login credentials and other sensitive information during the password retrieval and initial setup process. The lack of an option to disable the download of account icons further exacerbated the risk, as the app frequently made requests to websites, each opportunity presenting an entry point for an attacker. This constant data exchange using HTTP provided numerous chances for interception and manipulation.

iOS 18 Passwords App HTTP Vulnerability: A Three-Month Security Flaw Affecting Millions

The absence of mandatory HTTPS enforcement in iOS 18 and iOS 18.1 versions of the Passwords app is deeply concerning. The default behavior should have prioritized secure communication, especially given the sensitive nature of the data being handled. The lack of user control over icon downloads also highlights a design flaw, as users had no way to mitigate the inherent risks associated with the insecure protocol.

Apple's failure to implement HTTPS by default in the initial release of the Passwords app represents a significant oversight. This lapse in security protocols exposed a large user base to potentially devastating consequences. The potential for compromised accounts, identity theft, and financial fraud underscores the gravity of the situation.

The remediation, finally implemented in iOS 18.2, corrected the vulnerability by enforcing HTTPS encryption for all communications. This crucial change ensured that future interactions with websites are protected, safeguarding user data. The update, released on December 2024, and documented in a March 17th, 2025 update log, effectively patched the security hole and mitigated the risk of future attacks.

The incident serves as a stark reminder of the importance of robust security measures in applications handling sensitive personal data. Apple's delayed implementation of HTTPS encryption demonstrates the need for rigorous testing and security reviews during the development lifecycle. The three-month window of vulnerability underscores the potential for significant damage when even seemingly minor security flaws are overlooked.

iOS 18 Passwords App HTTP Vulnerability: A Three-Month Security Flaw Affecting Millions

The discovery and subsequent remediation of this vulnerability highlight the persistent challenges in ensuring the security of even the most widely used software. The vulnerability's existence, lasting for three months before being addressed, further underscores the challenges in balancing the rapid evolution of software updates with the need for a thorough and meticulous approach to security.

The impact of this vulnerability extended beyond the inconvenience of a security update. It represents a breach of user trust, requiring a renewed focus on security protocols and a strengthened commitment to user data protection. The incident should serve as a lesson for developers and manufacturers alike, emphasizing the critical importance of prioritizing security throughout the software development process. The vulnerability's prolonged existence highlights the need for more proactive security measures, including rigorous testing and prompt patching of discovered flaws.

The security researchers at Mysk played a crucial role in identifying and reporting this vulnerability. Their dedicated efforts in uncovering this issue helped prevent further exploitation and protected countless users from potential harm. Their prompt reporting and Apple's eventual response highlight the importance of collaboration between security researchers and technology companies in safeguarding user data.

The successful remediation of the vulnerability in iOS 18.2 offers a degree of closure, but it also serves as a compelling case study in the ongoing challenges of software security. The vulnerability's existence, and the period of time it remained unpatched, underscores the need for continuous vigilance and proactive security measures in the ever-evolving landscape of technology. This incident should prompt further investigation into the processes surrounding the initial release of iOS 18 and the Passwords application, ensuring similar vulnerabilities are effectively mitigated in future releases.

标签: iOS Passwords App HTTP Vulnerability Three-Month Security Flaw Affecting

声明：本文内容来源自网络，文字、图片等素材版权属于原作者，平台转载素材出于传递更多信息，文章内容仅供参考与学习，切勿作为商业目的使用。如果侵害了您的合法权益，请您及时与我们联系，我们会在第一时间进行处理！我们尊重版权，也致力于保护版权，站搜网感谢您的分享！

上一篇: 小米15 Ultra：热销背后的品牌力与情绪价值解读

上一篇: 《3月18日CME比特币和以太币期货价格下跌》

娱乐休闲

工商与经济

电脑与网络

公司与企业

教育与培训

文学

艺术

体育与健身

新闻与媒体

卫生与健康

科学/文化

生活与服务

预订服务

公园/游乐场所

公司企业

各地体育

校园文学

气象学

医药法规

论坛/聊天室

家用电器

化工

科技馆/博物馆

装饰/装修

iOS 18 Passwords App HTTP Vulnerability: A Three-Month Security Flaw Affecting Millions

热门文章

热点

标签列表

分享到:

Copyright @ 2007~2025 All Rights Reserved.

Powered By 站长搜索

iOS 18 Passwords App HTTP Vulnerability: A Three-Month Security Flaw Affecting Millions

猜您喜欢

热门文章

热点

标签列表

分享到:

Copyright @ 2007~2025 All Rights Reserved.

Powered By 站长搜索