You could get phished with Apple’s Passwords app, unless you update to iOS 18.2.

Arin Waichulis from 9to5Mac:

Security researchers at Mysk first discovered the flaw after noticing that their iPhone’s App Privacy Report showed Passwords had contacted a staggering 130 different websites over insecure HTTP traffic. This prompted the duo to investigate further, finding that not only was the app fetching account logos and icons over HTTP—it also defaulted to opening password reset pages using the unencrypted protocol. “This left the user vulnerable: an attacker with privileged network access could intercept the HTTP request and redirect the user to a phishing website,” Mysk told 9to5Mac.

“We were surprised that Apple didn’t enforce HTTPS by default for such a sensitive app,” Mysk states.

Most modern websites nowadays allow unencrypted HTTP connections but automatically redirect them to HTTPS using a 301 redirect. It’s important to note that while the Passwords app before iOS 18.2 would make a request over HTTP, it would redirected to the secure HTTPS version. Under normal circumstances, this would be totally fine, as the password changes occur on an encrypted page, ensuring that credentials are not sent in plaintext.

However, it becomes a problem when the attacker is connected to the same network as the user (i.e. Starbucks, airport, or hotel Wi-Fi) and intercepts the initial HTTP request before it redirects. From here they could manipulate the traffic in a few ways.

Mysk’s video is short but direct and to the point to help visualize how phishing works.

Perfect time for Apple to report this security bug, when all news outlets are focused on Apple Intelligence and Siri’s failures. Also a perfect time to remind your loved ones not to trust public Wi-Fi networks.