Apple has come clean about a Passwords app bug which lasted three months until a fix.
Apple has revealed a Passwords app bug that lasted three months.
The tech giant has finally fixed a bug from the iOS 18 release which resulted in users being vulnerable to phishing attacks.
In an Apple security content update describing the bug, the company said: “A user in a privileged network position may be able to leak sensitive information.”
And they added: “This issue was addressed by using HTTPS when sending information over the network.”
The patch was sorted the 18.2 iOS update back in December 2024, but Apple have only just revealed the bug and fix this week.
As reported by 9to5Mac, security researchers Mysk noticed their iPhone’s App Privacy Report revealed Passwords had contacted 130 different websites over insecure HTTP traffic.
The app was getting account logos and icons over HTTP, as well as defaulting to opening password reset pages via unencrypted protocol.
Mysk added to 9to5Mac: “This left the user vulnerable: an attacker with privileged network access could intercept the HTTP request and redirect the user to a phishing website.”
Essentially, an attacker connected to the same network as the effected user – such as people in cafes, airports or using the same hotel WiFi – could intercept the HTTP request before it redirects to a secure HTTPS version.
Apple reveals Passwords bug leaving users exposed to potential phishing
