Apple has finally fixed a security flaw with its new password manager app that could have put your data at risk.
The carrier first introduced Passwords with the highly anticipated iOS 18 update as a built-in application to help you manage your credentials and alert you if they have been compromised in a data breach. However, developer and security researcher Tommy Mysk discovered a vulnerability in his system shortly after launch.
Apple confirmed that the new 18.2 operating system update has resolved the issue that an attacker could have exploited to “alter network traffic.” Mysk is now urging everyone to upgrade all their Apple devices to the latest version to fix the critical issue as soon as possible.
iOS 18.2 security update
“Since the launch of iOS 18, the new Passwords app has been using unencrypted HTTP to download password entry icons – a potential security risk. We reported this bug to Apple in September and it was ultimately fixed in iOS 18.2 (CVE-2024 -54492) ,” Mysk wrote on X on Wednesday, December 11, 2024.
HTTP (Hypertext Transfer Protocol) refers to a set of rules that allows us to communicate data on the Internet and is used to load web pages. As the iOS expert explains (see video below), malicious networks can easily intercept and manipulate insecure HTTP.
The problem was that every time you added a new password, Passwords retrieved the account icon of the added website (for example, gmail.com) and called the website via the insecure HTTP protocol.
“This malicious network overwrites the response and returns a custom icon,” Mysk says. “Passwords chose the custom icon and displayed it in the app. This could be a malicious payload.”
“This issue was addressed by using HTTPS when sending information over the network,” Apple confirmed in security update 18.2.
The Passwords fix is now available for all devices (iPhone and iPad 18.2, as well as macOS Sequoia 15.2) after upgrading to the latest version.
Mysk is urging everyone to upgrade their devices as soon as possible, noting that another security company, Tenable, has also classified the vulnerability as ‘critical’.
However, the 18.2 update isn’t just about fixing vulnerabilities. The release is likely the biggest Apple Intelligence upgrade for iPhone, iPad and Mac yet, bringing some of the most anticipated Apple AI features to devices like Genmoji, Image Playground and a ChatGPT-powered Siri.
Most notably, Apple Intelligence is finally expanding its support to Australia, Canada, Ireland, New Zealand, South Africa and the United Kingdom.