Apple has patched a security vulnerability in the Passwords app that was introduced with iOS 18, which left users vulnerable to phishing attacks, with the iOS 18.2 update. The vulnerability, discovered by security research firm Mysk, remained unpatched for three months despite being reported to Apple in September 2024.

Apple fixes vulnerability in Passwords app

The vulnerability in question was revealed to be caused by the Passwords app using the less secure HTTP protocol instead of the secure HTTPS protocol when opening connections. This allowed attackers to steal credentials by redirecting a user on the same network to a fake website. It was stated that this risk is especially high on public Wi-Fi networks.

Although modern websites usually automatically redirect HTTP connections to HTTPS, attackers could manipulate traffic by intercepting the first HTTP request before the redirection. In this way, the user could be unknowingly redirected to a fake login page and their credentials could be stolen.

Apple patched this vulnerability with the iOS 18.2 and iPadOS 18.2 updates it released in December 2024. However, the company only recently mentioned this issue on its security updates page. The fact that the vulnerability has not been fixed for a long time also brings criticism about Apple’s approach to protecting user security.

So what do you think about this issue? Do you think Apple has been able to protect users’ security sufficiently recently? You can easily share your opinions with us in the comments section below.