Apple Passwords App Vulnerability Exposed Users for Months

Apple’s Passwords app, designed to enhance security for iOS users, ironically left them vulnerable to phishing attacks for nearly three months. Security researchers recently revealed that the flaw exposed sensitive information, raising concerns about cybersecurity risks — even with trusted software.

The vulnerability explained

Researchers at Mysk identified the flaw, which stemmed from the app’s use of unencrypted HTTP connections when retrieving website icons and opening password reset pages. This security lapse allowed attackers to intercept data and redirect users to malicious phishing sites.

>Mysk’s team discovered that the Passwords app contacted over 130 websites using unprotected HTTP traffic. This made it possible for hackers on the same Wi-Fi network — such as in cafes, airports, or hotels — to manipulate the requests and trick users into visiting fraudulent websites designed to steal login credentials.

Apple’s response and fix

Upon discovering the vulnerability in September 2024, Mysk promptly reported the issue to Apple. The tech giant addressed the flaw with the iOS 18.2 update, released in December 2024. This update implemented encrypted HTTPS connections for improved security.

However, Apple only publicly disclosed the vulnerability in March 2025, emphasizing the importance of timely updates and robust cybersecurity measures.

What users should keep in mind

To protect their data, iPhone users are strongly encouraged to update their devices to the latest version of iOS. Updating to iOS 18.2 or later ensures the Passwords app operates with encrypted connections, significantly reducing phishing risks.

Additionally, users should remain vigilant when accessing public Wi-Fi networks and consider using a reputable VPN for added protection.

Key lessons for users and developers

The incident highlights the critical need for secure data transmission protocols, especially for applications managing sensitive information. While Apple quickly resolved the issue, the case serves as a reminder that even the most trusted software can have vulnerabilities.

By keeping software up to date and adopting best security practices, users can better protect themselves against emerging threats in an increasingly digital world.