forbes.com
iOS 18 Passwords App Security Flaw Allowed Network-Based Phishing
A security flaw in the initial iOS 18 Passwords app, present from its release until iOS 18.2's December 11, 2024 release, allowed attackers on shared networks to intercept HTTP requests and redirect users to phishing sites before HTTPS redirection; this was disclosed by Apple on March 17, 2025.
- What specific security vulnerability existed in the initial iOS 18 Passwords app release, and what were its potential consequences?
- The iOS 18 Passwords app contained a security vulnerability allowing attackers on the same network to redirect users to phishing sites via insecure HTTP requests before HTTPS redirection. This flaw, present for several months, was patched in iOS 18.2, released December 11, 2024, but not publicly disclosed until March 17, 2025.
- How did the vulnerability exploit the interaction between HTTP and HTTPS protocols, and under what circumstances was it most effective?
- The vulnerability exploited the app's use of HTTP for fetching logos and password reset pages. While most sites redirect to HTTPS, attackers on shared networks could intercept HTTP requests, redirecting users to malicious sites before secure connection establishment, enabling credential theft.
- What are the broader implications of this incident for future password manager designs and the security practices of technology companies regarding vulnerability disclosure?
- This incident highlights the risk of relying on automatic HTTPS redirects for sensitive data. Future password management apps should prioritize HTTPS for all requests, eliminating the potential for man-in-the-middle attacks, even on seemingly secure networks. Apple's delayed disclosure, while a standard security practice, underscores the need for users to update their software promptly.
Cognitive Concepts
Framing Bias
The article initially frames the vulnerability as a serious security flaw, highlighting the potential for phishing attacks. However, it later shifts to downplaying the risk by emphasizing the low likelihood of exploitation in most scenarios. This shift in framing could influence reader perception of the overall severity.
Language Bias
The article uses relatively neutral language. However, phrases like "staggering 130 different websites" and "not exactly what you'd be hoping for" inject some subjective tone. More neutral alternatives could be used.
Bias by Omission
The article focuses on the security vulnerability and its resolution, but omits discussion of Apple's internal security review processes and how this vulnerability was missed initially. It also lacks details on the number of users affected or any reports of successful attacks exploiting this vulnerability. While the article acknowledges the low risk in most circumstances, a more comprehensive analysis of potential impact would be beneficial.
False Dichotomy
The article presents a false dichotomy by suggesting the vulnerability was either 'totally fine' or a significant problem, neglecting the nuance of the intermediate risk levels involved. The risk depended heavily on the specific network environment and attacker capabilities.