It emerged Tuesday that a serious HTTP bug in Apple ’s Passwords app left users vulnerable to phishing attacks for an astonishing three month after its debut last year .
A fix for the vulnerability was included in theiOS 18.2software update , which rolled out on December 11 last year . But sources indicate that the bug had been there , unpatched , since the launching of Io 18.0 ( and thePasswords appitself ) on September 16 .
The “ episodic security researchers ” atMyskspotted the problem when they noticed that Passwords was fetching Word and icons via unencrypted HTTP traffic and also default on to HTTP when opening password reset page .
“ This entrust the user vulnerable , ” the company told9to5Mac , which explains the issue in more detail that I will seek here . “ An assaulter with privileged internet access could tap the HTTP request and redirect the user to a phishing website . We were surprised that Apple did n’t enforce hypertext transfer protocol by default for such a sensible app … [ and ] Apple should provide an option for security measures - witting users to disable download icon totally . ”
Mysk ’s Word were heeded and Apple patched the bug by puddle Passwords use HTTPS by default option . This change was made quietly in iOS 18.2 in December but was only announced on March 17 : “ This issue was addressed by using HTTPS when sending information over the web , ” Apple now explains in itsiOS 18.2 security contentpage , crediting Talal Haj Bakry and Tommy Mysk of Mysk Inc. for the find .
Low - profile security patches are one of the reason why we advocate timely software package updates to your Apple devices . Toupdate Io on your iPhone , open up the options app , go toGeneral > Software Update , and comply the onscreen book of instructions .
