Apple Quietly Fixed Passwords App Vulnerability That Exposed Users to Phishing Risks

The flaw in Apple's Passwords app, patched in December 2024, left users vulnerable to phishing attacks for nearly three months due to unencrypted HTTP connections.

Apple's Passwords app, introduced with iOS 18, used unencrypted HTTP connections, exposing users to phishing risks on shared networks.
The vulnerability allowed attackers on public Wi-Fi networks to intercept traffic and redirect users to phishing sites that mimicked legitimate pages.
Security researchers at Mysk discovered the flaw in September 2024 and reported it to Apple, highlighting the app's failure to enforce HTTPS by default.
Apple addressed the issue in December 2024 with iOS 18.2, which enforced HTTPS for all app connections, but disclosed the vulnerability only in March 2025.
The incident has raised concerns about Apple's transparency and its approach to addressing security flaws in sensitive applications.