Apple has recently disclosed a major security flaw in its Passwords app, which lasted three months before being fixed in iOS 18.2. The flaw, which affected users from the release of iOS 18 in September 2024 until the December update, exposed users to potential phishing attacks when accessing login pages from the app over unencrypted connections.
The Passwords app, which was released in iOS 18 as a standalone tool for handling credentials, unintentionally used the less secure HTTP protocol instead of HTTPS for accessing certain website details, such as site icons. This error allowed attackers using the same Wi-Fi network—such as those present in public places like cafes and airports—to intercept and modify network traffic. By redirecting users to fraudulent login pages, bad actors could potentially harvest sensitive credentials.
Mysk, a security research firm, discovered this vulnerability in September 2024 and instantly reported it to Apple. The company addressed the issue in December with the release of iOS 18.2. However, Apple only revealed the remedy in March 2025, likely to ensure a sufficient number of users had updated before publicly acknowledging the flaw.
To exploit this vulnerability, an attacker would need to be on the same Wi-Fi network as the target, actively watch network activity, and wait for the user to open a password entry and click on a login link from within the Passwords app. This specificity in the attack vector significantly reduces the likelihood of widespread exploitation.
Notably, the vulnerability didn't affect autofill functionality, meaning users who signed into websites or apps directly via Apple's autofill feature were not at risk. Additionally, outside of compromised networks, HTTP requests are more often forwarded via HTTPS, reducing exposure.
For those who are still using the iOS version earlier than 18.2, updating their devices immediately is strongly recommended. Users who are concerned about potential exposure should change their passwords for sensitive accounts like banking and email. However, unless users frequently access login pages straight from the Passwords app while on an unsecured network, their risk remains low.
Apple has recently credited Mysk researchers Talal Haj Bakry and Tommy Mysk for identifying the issue. The company's revised support document confirms that iOS 18.2 effectively addressed the vulnerability, ensuring users on updated devices are no longer at risk.