Apple's Password Manager Suffered from a Significant Security Lapse for Extended Periods

Apple's Password Manager Suffered from a Significant Security Lapse for Extended Periods

Loosening the Lanyard on Apple's Passwords App

In the ever-evolving world of technology, Apple's recent venture into the realm of password management with the release of 'Passwords' app has been a welcome addition for many Apple enthusiasts. Despite its minimalist design, the app serves its purpose, seamlessly integrating with the OS, and offering free access to manage multiple account passwords.

However, as with any software, 'Passwords' isn't without its flaws. A glaring security oversight was discovered by researchers at Mysk, revealing a potentially dangerous vulnerability in the app. The issue resided in the 'Change Password' feature, which, contrary to expectations, initiated a connection to the target website using an unencrypted HTTP protocol, before switching to the secure HTTPS protocol.

This seemingly innocuous error could have profound consequences. Imagine you're prompted by 'Passwords' to change your Yelp password. Fearing a breach, you select 'Change Password' only to find yourself diverted to a malicious site by a malicious actor lurking in your network. Believing you're on the genuine Yelp site, you might unwittingly fall prey to phishing, handing over sensitive information.

Mysk's disclosure to 9to5Mac sheds light on the issue, stating, "We were astounded that Apple didn't enforce HTTPS by default for such a sensitive app... Additionally, Apple should provide an option for security-conscious users to disable downloading icons completely. I can't help but feel uneasy with my password manager continually pinging each website I maintain a password for, even though the calls Passwords sends don't contain any ID."

This oversight isn't unique to 'Passwords'. Mysk reports that this security lapse has persisted since the introduction of password compromise detection in iOS 14 back in 2020.

Taking Steps to Secure Your 'Passwords'

Apple promptly addressed this issue with the launch of iOS 18.2 in December 2024. If you've been tardy with your updates, head to Settings > General > Software Update and follow the on-screen instructions to download and install the update. As of this article, the latest version is iOS 18.3.2, which also incorporates another critical security patch.

Updating your iOS will put a brake on potential security risks lurking in your 'Passwords' app and other parts of your device, such as the WebKit, which powers Safari and other web-based content in iOS[1][2][4].

1. Open the Settings app on your iPhone.
2. Go to General.
3. Select Software Update.
4. Tap Download and Install.
5. Enter your passcode if prompted.
6. Tap Install Now.

Ensure your iPhone is adequately charged or connected to a power source and is connected to the internet for a smooth update process. With this update in place, you can relax a little more secure in the knowledge that your sensitive information is more secure.

1. The vulnerability in Apple's 'Passwords' app, discovered by Mysk researchers, was a surprise finding, as it allowed unencrypted HTTP connections during the 'Change Password' process, potentially enabling malicious redirection.
2. Even after discovering the vulnerability, Apple's 'Passwords' app continues to be integrated within the Apple ecosystem, with users managing multiple passwords seamlessly across devices.
3. The ecosystem is not immune to tech-related flaws; Mysk reported that the password compromise detection feature in iOS 14, introduced in 2020, also suffered from a similar vulnerability.

Read also: