Apple’s Passwords app had a security flaw that exposed users to phishing attacks for months. Learn what happened and how to stay protected.
Apple’s Passwords app, designed to enhance security for iOS users, ironically left them vulnerable to phishing attacks for nearly three months. Security researchers recently revealed that the flaw exposed sensitive information, raising concerns about cybersecurity risks — even with trusted software.
Researchers at Mysk identified the flaw, which stemmed from the app’s use of unencrypted HTTP connections when retrieving website icons and opening password reset pages. This security lapse allowed attackers to intercept data and redirect users to malicious phishing sites.
>Mysk’s team discovered that the Passwords app contacted over 130 websites using unprotected HTTP traffic. This made it possible for hackers on the same Wi-Fi network — such as in cafes, airports, or hotels — to manipulate the requests and trick users into visiting fraudulent websites designed to steal login credentials.
Upon discovering the vulnerability in September 2024, Mysk promptly reported the issue to Apple. The tech giant addressed the flaw with the iOS 18.2 update, released in December 2024. This update implemented encrypted HTTPS connections for improved security.
However, Apple only publicly disclosed the vulnerability in March 2025, emphasizing the importance of timely updates and robust cybersecurity measures.
To protect their data, iPhone users are strongly encouraged to update their devices to the latest version of iOS. Updating to iOS 18.2 or later ensures the Passwords app operates with encrypted connections, significantly reducing phishing risks.
Additionally, users should remain vigilant when accessing public Wi-Fi networks and consider using a reputable VPN for added protection.
The incident highlights the critical need for secure data transmission protocols, especially for applications managing sensitive information. While Apple quickly resolved the issue, the case serves as a reminder that even the most trusted software can have vulnerabilities.
By keeping software up to date and adopting best security practices, users can better protect themselves against emerging threats in an increasingly digital world.
Matt Gonzales is the Managing Editor of Cybersecurity for eSecurity Planet. An award-winning journalist and editor, Matt has reported on emerging technologies for the U.S. Marine Corps and led editorial strategy at major organizations. He specializes in transforming complex tech topics into clear, actionable insights for business, cybersecurity, and IT leaders.
