{"id":47134,"date":"2025-03-19T15:16:02","date_gmt":"2025-03-19T19:16:02","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=47134"},"modified":"2025-09-09T10:42:12","modified_gmt":"2025-09-09T14:42:12","slug":"apple-passwords-phishing-vulnerability","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/03\/19\/apple-passwords-phishing-vulnerability\/","title":{"rendered":"Apple Passwords Phishing Vulnerability"},"content":{"rendered":"<p><a href=\"https:\/\/9to5mac.com\/2025\/03\/18\/apples-passwords-app-was-vulnerable-to-phishing-attacks-for-nearly-three-months-after-launch\/\">Arin Waichulis<\/a> (<a href=\"https:\/\/news.ycombinator.com\/item?id=43406536\">Hacker<\/a> <a href=\"https:\/\/news.ycombinator.com\/item?id=43414395\">News<\/a>, <a href=\"https:\/\/www.macrumors.com\/2025\/03\/19\/apple-passwords-app-phishing-vulnerability\/\">MacRumors<\/a>):<\/p>\n<blockquote cite=\"https:\/\/9to5mac.com\/2025\/03\/18\/apples-passwords-app-was-vulnerable-to-phishing-attacks-for-nearly-three-months-after-launch\/\"><p>It&rsquo;s now been revealed that a serious HTTP bug left Passwords users vulnerable to phishing attacks for nearly three months, from the initial release of iOS 18 until the patch in iOS 18.2.<\/p><p>Security researchers at <a href=\"https:\/\/x.com\/mysk_co\">Mysk<\/a> first discovered the flaw after noticing that their iPhone&rsquo;s <a href=\"https:\/\/support.apple.com\/en-us\/102188\">App Privacy Report<\/a> showed Passwords had contacted a staggering 130 different websites over insecure HTTP traffic. This prompted the duo to investigate further, finding that not only was the app fetching account logos and icons over HTTP&mdash;it also defaulted to opening password reset pages using the unencrypted protocol. &ldquo;This left the user vulnerable: an attacker with privileged network access could intercept the HTTP request and redirect the user to a phishing website,&rdquo; Mysk told <em>9to5Mac<\/em>.<\/p><p>[&#8230;]<\/p><p>However, it becomes a problem when the attacker is connected to the same network as the user (i.e. Starbucks, airport, or hotel Wi-Fi) and intercepts the initial HTTP request before it redirects.<\/p><p>[&#8230;]<\/p><p>While this was <a href=\"https:\/\/9to5mac.com\/2024\/12\/11\/ios-18-2-release-notes\/\">quietly patched in December<\/a> of last year, Apple only just <a href=\"https:\/\/support.apple.com\/en-us\/121837\">disclosed<\/a> it in the last 24 hours.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/x.com\/mysk_co\/status\/1902162695073493435\">Mysk<\/a>:<\/p>\n<blockquote cite=\"https:\/\/x.com\/mysk_co\/status\/1902162695073493435\"><p>&ldquo;Unfortunately, this issue didn&rsquo;t qualify for a bounty because it didn&rsquo;t meet the impact criteria or fall into any of the eligible categories&rdquo;<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/x.com\/mysk_co\/status\/1902350663058907436\">Mysk<\/a>:<\/p>\n<blockquote cite=\"https:\/\/x.com\/mysk_co\/status\/1902350663058907436\"><p>Yes, it feels like doing charity work for a $3 trillion company. We didn&rsquo;t do this primarily for money, but this shows how Apple appreciates independent researchers. We had spent a lot of time since September 2024 trying to convince Apple this was a bug.<\/p><\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2025\/02\/21\/icons-in-passwords-app-and-app-privacy-report\/\">Icons in Passwords.app and App Privacy Report<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/12\/13\/ios-18-2-and-ipados-18-2\/\">iOS 18.2 and iPadOS 18.2<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/05\/14\/no-bounty-for-kernel-vulnerability\/\">No Bounty for Kernel Vulnerability<\/a><\/li>\n<\/ul>\n\n<p id=\"apple-passwords-phishing-vulnerability-update-2025-03-24\">Update (2025-03-24): <a href=\"https:\/\/hachyderm.io\/@rmondello\/114190912857645304\">Ricky Mondello<\/a>:<\/p>\n<blockquote cite=\"https:\/\/hachyderm.io\/@rmondello\/114190912857645304\">\n<p>The icons issue was present for some time and affected all platforms. The &ldquo;Change Password&rdquo; bug only appeared in the Passwords app for iOS, and was quickly fixed.<\/p>\n<p>Some of the discussions I&rsquo;ve seen around both of these promptly fixed bugs are mixing up details.<\/p>\n<\/blockquote>\n\n<p id=\"apple-passwords-phishing-vulnerability-update-2025-09-09\">Update (<a href=\"#apple-passwords-phishing-vulnerability-update-2025-09-09\">2025-09-09<\/a>): <a href=\"https:\/\/mastodon.social\/@mysk\/115068081394187827\">Mysk<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@mysk\/115068081394187827\"><p>Apple Product Security:\n&ldquo;Unfortunately, this issue didn&rsquo;t qualify for a bounty because it didn&rsquo;t meet the impact criteria or fall into any of the eligible categories&rdquo;<\/p><p>Also Apple: in iOS and iPadOS 26 Passwords has an option to disallow contacting websites, the very thing our research highlighted. &#x1F6B6;&#x200D;&#x2642;&#xFE0F;<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Arin Waichulis (Hacker News, MacRumors): It&rsquo;s now been revealed that a serious HTTP bug left Passwords users vulnerable to phishing attacks for nearly three months, from the initial release of iOS 18 until the patch in iOS 18.2.Security researchers at Mysk first discovered the flaw after noticing that their iPhone&rsquo;s App Privacy Report showed Passwords [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2025-03-19T19:16:05Z","apple_news_api_id":"fed70f44-575a-410f-b570-22ada75bd3fb","apple_news_api_modified_at":"2025-09-09T14:42:15Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAQ==","apple_news_api_share_url":"https:\/\/apple.news\/A_tcPRFdaQQ-1cCKtp1vT-w","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[2165,2098,31,2586,1200,48],"class_list":["post-47134","post","type-post","status-publish","format-standard","hentry","category-technology","tag-apple-password-manager","tag-apple-security-bounty","tag-ios","tag-ios-18","tag-phishing","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/47134","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=47134"}],"version-history":[{"count":3,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/47134\/revisions"}],"predecessor-version":[{"id":49193,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/47134\/revisions\/49193"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=47134"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=47134"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=47134"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}