Apple has fixed a bug in the Passwords app in iOS 18.2 that left users vulnerable to phishing attacks for three months after the release of iOS 18, according to an Apple security content update spotted by 9to5Mac.
According to 9to5Mac, the Passwords app was sending unencrypted requests for logos and icons that it shows next to sites that are associated with your saved passwords. The lack of encryption meant that an attacker on the same Wi-Fi network as you, such as at an airport or coffee shop, could redirect your browser to a similar phishing site to steal your login credentials. This was first discovered by security researchers at Mysk, an app development company.
In the description to the YouTube video below, which demonstrates the bug, Mysk writes that it first reported the vulnerability in September. Apple also describes the same bug in security content updates for Mac, iPad, and Vision Pro.
