Apple fixed a bug in the iOS 18.2 Passwords app that, for three months starting with the release of iOS 18, made users vulnerable to phishing attacks, according to an Apple security content update spotted by 9to5Mac.
Here’s how Apple describes the bug and its fix:
Impact: A user in a privileged network position may be able to leak sensitive information
Description: This issue was addressed by using HTTPS when sending information over the network.
As 9to5Mac writes, the Passwords app was sending unencrypted requests for the logos and icons it shows next to the sites your stored passwords are associated with. The lack of encryption meant an attacker on the same Wi-Fi network as you, like at an airport or coffee shop, could redirect your browser to a look-a-like phishing site to steal your login credentials. It was first discovered by security researchers at app developer Mysk.
In the description of the below YouTube video demonstrating the bug, Mysk writes that it first reported the vulnerability in September. Apple describes the same bug in security content updates for the Mac, iPad, and the Vision Pro, as well.