Apple Passwords App Exposed Users to Phishing Attacks for Three Months

A critical security flaw in the iOS 18 Passwords app left users vulnerable until a December 2024 update quietly fixed the issue.

The vulnerability, discovered by Mysk researchers in September 2024, stemmed from the app using unencrypted HTTP connections.
Attackers on shared Wi-Fi networks could intercept HTTP requests and redirect users to phishing sites.
Apple patched the flaw in December 2024 with iOS 18.2, which enforced HTTPS for all connections in the Passwords app.
The issue affected multiple Apple devices, including iPhones, iPads, Macs, and Vision Pro headsets.
Apple publicly disclosed the vulnerability only in March 2025, raising concerns about delayed transparency in security disclosures.