A bug in the Apple Passwords app left users open to phishing attacks during the first three months following the release of iOS 18, until it was finally fixed with the release of iOS 18.2 in December.
According to an Apple security update shared by 9to5Mac, the Passwords app was sending unencrypted requests for the logos and icons associated with users’ stored passwords. This could allow an attacker on the same Wi-Fi network could redirect a user’s browser to a clone phishing site where login details could be stolen.
Without protections of encryption, an attacker on the same Wi-Fi network could redirect a user’s browser to a clone phishing site where login details could be stolen. The vulnerability was first discovered by developer Mysk’s security researchers and reported in September.
Apple’s iOS 18.2 security release notes described the bug:
Impact: A user in a privileged network position may be able to leak sensitive information
Description: This issue was addressed by using HTTPS when sending information over the network.
Apple lists the bug as being fixed in security content updates for the Mac, iPad, and Vision Pro.
