The arrival of the Passwords app for the iPhone in iOS 18 was welcome. It took the useful-but-hard-to-find Keychain password management feature and turned it into a highly convenient standalone app. But it now turns out that for several months, it may not have been secure as we might have liked.
According to 9to5Mac, the app was vulnerable thanks to an HTTP bug which could have left users vulnerable to phishing attacks.
It was only fixed in iOS 18.2, almost three months after the Passwords app landed. Which is not exactly what you’d be hoping for in an app that holds your passwords.
“Security researchers at Mysk first discovered the flaw after noticing that their iPhone’s App Privacy Report showed Passwords had contacted a staggering 130 different websites over insecure HTTP traffic. This prompted the duo to investigate further, finding that not only was the app fetching account logos and icons over HTTP—it also defaulted to opening password reset pages using the unencrypted protocol. ‘This left the user vulnerable: an attacker with privileged network access could intercept the HTTP request and redirect the user to a phishing website,’ Mysk told 9to5Mac,” the report says.
Before you panic too much, in most circumstances, the level of risk was low. “Most modern websites nowadays allow unencrypted HTTP connections but automatically redirect them to HTTPS using a 301 redirect. It’s important to note that while the Passwords app before iOS 18.2 would make a request over HTTP, it would redirected to the secure HTTPS version. Under normal circumstances, this would be totally fine, as the password changes occur on an encrypted page, ensuring that credentials are not sent in plaintext,” 9to5Mac says.
That’s a relief, but we’re not quite out of the woods yet, as there is one particular circumstance where things are not so rosy, though it must be said this is not a common occurrence.
“It becomes a problem when the attacker is connected to the same network as the user (i.e. Starbucks, airport, or hotel Wi-Fi) and intercepts the initial HTTP request before it redirects. From here they could manipulate the traffic in a few ways… This includes modifying the request to redirect a phishing site that resembles [a website’s]
page. The attacker can then easily gather credentials from the victims and even launch other attacks,” the report comments.
The patch arrived on Dec.11, 2024, though it was only disclosed by Apple on March 17, 2025.
What is key is that it is fixed—Apple does not routinely reveal flaws until they have been sorted to prevent bad actors getting involved.