iOS 18 Passwords App HTTP Vulnerability: A Three-Month Security Flaw Affecting Millions

iOS 18 Passwords App HTTP Vulnerability: A Three-Month Security Flaw Affecting MillionsOn March 18th, 2025, 9to5Mac reported a critical security vulnerability in Apple's standalone Passwords app, introduced with iOS 18 in September 2024. Security researchers at Mysk discovered that, until its remediation in iOS 18

iOS 18 Passwords App HTTP Vulnerability: A Three-Month Security Flaw Affecting Millions

On March 18th, 2025, 9to5Mac reported a critical security vulnerability in Apple's standalone Passwords app, introduced with iOS 18 in September 2024. Security researchers at Mysk discovered that, until its remediation in iOS 18.2 (released December 2024), the app communicated with over 130 websites using insecure HTTP, exposing users to phishing attacks for three months.

The vulnerability stemmed from the app's use of HTTP for functions like fetching account icons and opening password reset pages. This lack of HTTPS encryption created a significant weakness, especially for users on public Wi-Fi. Mysk's research demonstrated the ease with which malicious actors could exploit this.

The attack was straightforward: a hacker on public Wi-Fi could intercept HTTP requests from the Passwords app, redirecting users to convincing phishing sites mimicking legitimate services (e.g., Microsoft's live.com). Users unknowingly entered credentials into these fraudulent sites, handing over sensitive information to the attackers.

Researchers emphasized the severity of the vulnerability. Unencrypted communication exposed login credentials and other sensitive data during password retrieval and setup. The inability to disable account icon downloads exacerbated the risk, as frequent website requests provided numerous attack vectors. This constant HTTP data exchange created ample opportunities for interception and manipulation.

The absence of mandatory HTTPS in iOS 18 and 18.1 was deeply concerning. Secure communication should have been the default, especially given the sensitive data involved. The lack of user control over icon downloads highlighted a design flaw, leaving users unable to mitigate the risks of the insecure protocol.

Apple's failure to implement default HTTPS in the initial Passwords app release was a significant oversight. This security lapse exposed a large user base to potentially devastating consequences, including compromised accounts, identity theft, and financial fraud.

iOS 18.2 finally addressed the vulnerability by enforcing HTTPS encryption for all communications, ensuring future interactions are protected. This crucial change, documented in a March 17th, 2025 update log, effectively patched the security hole.

This incident underscores the importance of robust security measures in applications handling sensitive data. Apple's delayed HTTPS implementation highlights the need for rigorous testing and security reviews throughout the development lifecycle. The three-month vulnerability window demonstrates the potential damage from overlooked security flaws.

The discovery and remediation highlight the ongoing challenges in ensuring the security of widely used software. The three-month duration of the vulnerability underscores the difficulty of balancing rapid software updates with thorough security practices.

The impact went beyond a simple security update; it represented a breach of user trust. This requires a renewed focus on security protocols and stronger commitment to user data protection. The incident serves as a lesson for developers and manufacturers, emphasizing the critical importance of prioritizing security throughout the software development process and implementing more proactive security measures, including rigorous testing and prompt patching.

Mysk's crucial role in identifying and reporting the vulnerability prevented further exploitation and protected countless users. Their prompt reporting and Apple's response highlight the importance of collaboration between security researchers and technology companies.

While iOS 18.2's remediation provides closure, it also serves as a compelling case study in the ongoing challenges of software security. The vulnerability's existence and unpatched duration underscore the need for continuous vigilance and proactive security measures. This incident should prompt further investigation into the iOS 18 and Passwords app release processes to prevent similar vulnerabilities in future releases.