Apple Passwords Phishing Vulnerability
Arin Waichulis (Hacker News, MacRumors):
It’s now been revealed that a serious HTTP bug left Passwords users vulnerable to phishing attacks for nearly three months, from the initial release of iOS 18 until the patch in iOS 18.2.
Security researchers at Mysk first discovered the flaw after noticing that their iPhone’s App Privacy Report showed Passwords had contacted a staggering 130 different websites over insecure HTTP traffic. This prompted the duo to investigate further, finding that not only was the app fetching account logos and icons over HTTP—it also defaulted to opening password reset pages using the unencrypted protocol. “This left the user vulnerable: an attacker with privileged network access could intercept the HTTP request and redirect the user to a phishing website,” Mysk told 9to5Mac.
[…]
However, it becomes a problem when the attacker is connected to the same network as the user (i.e. Starbucks, airport, or hotel Wi-Fi) and intercepts the initial HTTP request before it redirects.
[…]
While this was quietly patched in December of last year, Apple only just disclosed it in the last 24 hours.
Mysk:
“Unfortunately, this issue didn’t qualify for a bounty because it didn’t meet the impact criteria or fall into any of the eligible categories”
Mysk:
Yes, it feels like doing charity work for a $3 trillion company. We didn’t do this primarily for money, but this shows how Apple appreciates independent researchers. We had spent a lot of time since September 2024 trying to convince Apple this was a bug.
Previously:
- Icons in Passwords.app and App Privacy Report
- iOS 18.2 and iPadOS 18.2
- No Bounty for Kernel Vulnerability
3 Comments RSS · Twitter · Mastodon
Seems like Apple should be sued over this since their performance on that flaw as well as the continuing FUCK ups on iOS and nocOS releases don't have our security in mind. Do't the review their code before releasing anything. It seems that Webkit is the major culprit but there are other instances that should be caugfht before it's kicked out the door.
Even worse, I have discovered that this scan for thumbnails (which occurs every seven days) on iOS or macOS, apart from accessing websites that are referenced in the Passwords App, it also accesses websites referenced by 3rd Party apps - which you might expect to be more secure. (In order to support password Autofill, 3rd party apps need to populate ASCredentialIdentityStore which references every website for which a password is available in the 3rd party app). More info here: https://developer.apple.com/forums/thread/775610 Apple have contacted me for more information on my bug report.
Christ, that's a clear privacy violation. I do hope they'll urgently fix this, because while I still think it should be a clear choice for the user in the Passwords app, Apple have no business leaking this for non-Apple apps.
Wow, first Mail leaking despite being told not to, now this. I wonder if Apple cares about your privacy?
