Apple has introduced password management solutions for quite some time, but it wasn’t until last autumn that the company unveiled a standalone application dubbed “Passwords.” While it has a simple design, its integration into the operating system makes it functional and accessible. Best of all, it comes at no cost. For users deeply embedded in the Apple environment, it serves as a straightforward method for generating, storing, and managing passwords across various accounts. However, a serious security vulnerability has recently come to light regarding this application.

The application features a function that allows users to change their passwords directly within the Passwords app, which is especially useful when it detects any compromise of an account’s credentials. By selecting the corresponding account and choosing the “Change Password…” option, users can access an in-app browser that navigates to the account’s official site for password modification.

Although this functionality appears practical, it has revealed a considerable security concern. Researchers at Mysk found that when a user clicks “Change Password…” for an account, the app initially connects to the website via an unencrypted HTTP link before switching to a secure HTTPS protocol. This encrypted layer is crucial for safeguarding the data exchanged between the user’s device and the website. Without this safeguard, someone with network access could potentially hijack the session and reroute the user.

Consider a scenario where the Passwords app alerts a user about a breach of their Yelp password, prompting the need for a change. The user might tap on the Yelp entry and select “Change Password…,” unaware that a malicious individual could be monitoring this action. Instead of reaching the legitimate Yelp site, they could be redirected to a counterfeit version, designed to extract sensitive personal information. This could easily lead to a successful phishing attempt.

According to Mysk, as reported to 9to5Mac, “We were surprised that Apple’s system did not enforce HTTPS as the default for such a critical application… Moreover, Apple should consider offering an option to disable icon downloading entirely for users prioritizing security. I find it unsettling that my password manager is continually accessing every site where I have an account, despite the fact that the data sent by Passwords does not include any identifiers.”

This issue is not exclusive to the Passwords app. Mysk noted that this vulnerability has persisted since Apple implemented compromised password detection in iOS 14 back in 2020.

This Tweet is currently unavailable. It might be loading or has been removed.

Steps to Remedy this Passwords Security Vulnerability

This flaw was addressed by Apple through the update released in iOS 18.2, which was made available in December 2024. Chances are, your device has already been updated since then.

If not, it’s crucial to upgrade to the latest iOS version immediately. Currently, iOS 18.3.2 is available and contains additional important security fixes. To update your device, navigate to Settings > General > Software Update and follow the prompts to download and install the latest version.