iOS 18 Passwords App Vulnerability: Everything You Need to Know

iOS 18 Passwords App Vulnerability: Everything You Need to KnowApple's highly anticipated Passwords app, introduced with iOS 18 in September 2024, contained a critical vulnerability in its initial release that could have exposed user passwords to malicious actors on compromised networks. This vulnerability remained unpatched for several months, until a full fix was implemented in March 2025

iOS 18 Passwords App Vulnerability: Everything You Need to Know

Apple's highly anticipated Passwords app, introduced with iOS 18 in September 2024, contained a critical vulnerability in its initial release that could have exposed user passwords to malicious actors on compromised networks. This vulnerability remained unpatched for several months, until a full fix was implemented in March 2025.

The Root Cause: HTTP Instead of HTTPS

Early versions of the Passwords app (iOS 18 and iOS 18.2) relied on the less secure HTTP protocol instead of HTTPS when handling links and icons. This meant that on a compromised network (e.g., a publicly accessible Wi-Fi network infected with malware), an attacker could intercept HTTP requests, redirect users to a fake login page, and steal their credentials.

Security research firm Mysk discovered this issue and reported it to Apple in September 2024. Apple addressed the vulnerability in the iOS 18.2 update released in December 2024. However, the vulnerability persisted for three months, posing an ongoing threat to users on versions prior to iOS 18.2. Apple's complete mitigation of the risk, on March 17th, 2025, may have been a strategic decision to address the issue after reaching a certain threshold of risk assessment and to protect users still on older versions.

Conditions for Exploitation: Stringent and Rare

Despite the potentially severe impact, the likelihood of successful exploitation was extremely low. Successful exploitation required a confluence of highly specific conditions:

1. User on a Compromised Network: The user had to be connected to a Wi-Fi network controlled by a malicious actor, such as a compromised public Wi-Fi hotspot (coffee shop, airport, etc.).

2. Attacker Awareness and Active Exploitation: The attacker needed to be aware of the vulnerability and actively attempt to exploit it. This requires technical skill and malicious intent.

3. Specific User Action within the Passwords App: The user had to open the Passwords app, select a password, and click an in-app link that redirects to the password app's login page.

4. Attacker Interception and Replacement of the Login Page: The attacker had to intercept the HTTP request and redirect it to a fraudulent login page mimicking the website the user was attempting to access.

Importantly, the Passwords app was not vulnerable when using autofill to log into apps or websites. The vulnerability only manifested when a user initiated the login page from within the Passwords app. Furthermore, because HTTP requests automatically 301 redirect to HTTPS, using the Passwords app on an uncompromised network posed no risk.

Actual Risk Assessment: Extremely Low

Considering these conditions, the probability of successful exploitation was extremely low. Most users were unlikely to meet all these criteria simultaneously. This required a very specific set of attacker capabilities and opportunities.

Recommended Actions: Preventative Measures for Enhanced Security

While the likelihood of exploitation was minimal, to further minimize risk, users are advised to:

1. Update Operating System: Update all devices to the latest operating system version (iOS 18.2 or later). This is the most effective preventative measure.

2. Review Passwords App Usage: Reflect on your Passwords app usage. If you never logged in via links within the Passwords app, or were unaware of this login method, you were almost certainly unaffected.

3. Change Passwords for Important Accounts: If you remain concerned, change your passwords for banking, email, work, and other important accounts. This is a precautionary measure to further enhance account security, even if you were not directly affected by the vulnerability.

In conclusion, while the HTTP vulnerability in the iOS 18 Passwords app existed, the likelihood of actual exploitation was extremely low due to the multiple required conditions. Prompt operating system updates are the most effective preventative measure, and changing important account passwords provides an additional layer of security. This incident serves as a reminder that even meticulously designed security apps can have vulnerabilities, and timely software updates and security awareness are crucial for maintaining online safety. We hope this explanation clarifies the details of the vulnerability and helps you take necessary preventative measures.