
A critical vulnerability has been discovered in the Passwords app on iOS 18, exposing users to phishing attacks for nearly three months—from the initial release of iOS 18, when the Passwords feature was introduced as a standalone application, until the issue was patched in iOS 18.2.
Cybersecurity researchers from Mysk identified the flaw after noticing that the App Privacy Report on an iPhone indicated that the Passwords app had been contacting 130 different websites via unencrypted HTTP traffic. Further investigation revealed that the application not only retrieved account logos and icons over HTTP but also, by default, opened password reset pages using the unencrypted protocol.
According to Mysk’s specialists, this introduced a serious security risk: an attacker with privileged network access could intercept the HTTP request and redirect the user to a phishing website. Researchers expressed astonishment that Apple had not enforced HTTPS by default for such a highly sensitive application.
While most modern websites still accept unencrypted HTTP connections, they typically automatically redirect traffic to HTTPS using a 301 redirect. Prior to iOS 18.2, the Passwords app initiated requests over HTTP, which were then redirected to the secure HTTPS version.
The vulnerability was particularly exploitable in public networks, where an attacker sharing the same Wi-Fi—such as in a café, airport, or hotel—could intercept the initial HTTP request before redirection occurred. In such a scenario, a malicious actor could manipulate the traffic in multiple ways, including redirecting users to a phishing site designed to harvest their credentials.
Although Apple quietly patched the issue in December of last year, the company did not publicly disclose it until March 17. The Passwords app now enforces HTTPS by default for all connections. All iOS users are strongly advised to update to the latest version of the operating system to mitigate potential security risks.