Security researchers found that the Passwords app introduced with Apple Inc.'s
What Happened: Apple's standalone Passwords app, launched with iOS 18 as a more user-friendly alternative to Keychain, had a major security oversight.
For nearly three months, the app was fetching website icons and opening password reset pages using unencrypted HTTP connections.
The flaw was discovered by security researchers at Mysk, who noticed the app had contacted over 130 websites through insecure channels.
"This left the user vulnerable," the researchers told 9to5Mac. "An attacker with privileged network access could intercept the HTTP request and redirect the user to a phishing website."
In a demo, Mysk showed how attackers on public networks-like coffee shops or airports-could hijack HTTP requests and redirect users to convincing fake login pages.
Apple quietly fixed the vulnerability in iOS 18.2 in December, enforcing HTTPS by default for all connections within the Passwords app. However, the company only disclosed the issue publicly earlier this week.
Apple did not immediately respond to Benzinga's request for comments.
Why It's Important: Earlier this year, Apple also faced criticism for an alarm issue that persisted even after the release of iOS 18, leaving users oversleeping due to alarms not functioning correctly.
Additionally, a controversial bug in Apple's AI-powered dictation system replaced the word "racist" with "Trump," sparking widespread attention. These incidents highlight ongoing challenges Apple faces in maintaining software reliability and security.
In January, Apple released iOS 18.3, which addressed 29 security vulnerabilities, including some that were actively exploited.
Price Action: Apple shares closed Tuesday at $212.69, declining 0.61% during the regular session. However, in after-hours trading, the stock saw a modest increase of 0.15%, according to Benzinga Pro data.
