Apple
Apple has discovered a bug in the Passwords program that left iPhone users vulnerable to phishing attacks for three months.
According to 9to5Mac, Passwords downloaded logos and icons from accounts using an unsecured HTTP protocol and opened password reset pages using the same protocol. The absence of encryption means that an attacker on the same Wi-Fi network as you (for example, in a public one, at an airport or cafe) could intercept your request and redirect you to a similar site to steal your credentials.
The bug was first reported by security researchers at app developer Mysk, who noticed that the iPhone app privacy report showed that Passwords had communicated with 130+ websites via unsecured HTTP.
«We were surprised that Apple didn’t use HTTPS by default for such a sensitive application,» says researcher Mysk. «In addition, Apple should give users the option to completely disable icon downloads. I don’t feel comfortable with my password manager constantly accessing every site for which I store a password, even if these requests sent by Passwords don’t contain any identifier».
Apple eventually fixed the bug with the December iOS 18.2 update (but only now), but the problem had actually been around for three months, so a certain number of users may have already encountered phishing.
Apple Passwords — it is a password management program, for the first time introduced with OS 18, iPadOS 18, macOS Sequoia and visionOS 2 in the fall. Essentially, it’s an alternative to iCloud Keychain, but it also divides logins into different categories, such as accounts, Wi-Fi networks, and access keys.