 (1).png)
10 hours ago
2
Passwords users were exposed to potential phishing attacks for three months until an iOS 18.2 patch.
Passwords users were exposed to potential phishing attacks for three months until an iOS 18.2 patch.
Mar 18, 2025, 9:27 PM UTC
Image: Cath Virginia / The Verge
Wes Davis is a weekend editor who covers the latest in tech and entertainment. He has written news, reviews, and more as a tech journalist since 2020.
Apple fixed a bug in the iOS 18.2 Passwords app that, for three months starting with the release of iOS 18, made users vulnerable to phishing attacks,
according to an Apple security content update spotted by 9to5Mac.
Here’s how Apple describes the bug and its fix:
Impact: A user in a privileged network position may be able to leak sensitive information
Description: This issue was addressed by using HTTPS when sending information over the network.
As 9to5Mac writes, the Passwords app was sending unencrypted requests for the logos and icons it shows next to the sites your stored passwords are associated with. The lack of encryption meant an attacker on the same Wi-Fi network as you, like at an airport or coffee shop, could redirect your browser to a look-a-like phishing site to steal your login credentials. It was first discovered by security researchers at app developer Mysk.
In the description of the below YouTube video demonstrating the bug, Mysk writes that it first reported the vulnerability in September. Apple describes the same bug in security content updates for the Mac, iPad, and the Vision Pro, as well.
Installer
A weekly newsletter by David Pierce designed to tell you everything you need to download, watch, read, listen to, and explore that fits in The Verge’s universe.
English (US) ·