Apple iPhone Passwords Had A Real-World Flaw For Almost 3 Months
The arrival of the Passwords app for the iPhone in iOS 18 was welcome. It took the useful-but-hard-to-find Keychain password management feature and turned it into a highly convenient standalone app. But it now turns out that for several months, it may not have been secure as we might have liked.
Apple iPhone 16
CFOTO/Future Publishing via Getty Images
According to 9to5Mac, the app was vulnerable thanks to an HTTP bug which could have left users vulnerable to phishing attacks.
It was only fixed in iOS 18.2, almost three months after the Passwords app landed. Which is not exactly what you'd be hoping for in an app that holds your passwords.
'Security researchers at Mysk first discovered the flaw after noticing that their iPhone's App Privacy Report showed Passwords had contacted a staggering 130 different websites over insecure HTTP traffic. This prompted the duo to investigate further, finding that not only was the app fetching account logos and icons over HTTP—it also defaulted to opening password reset pages using the unencrypted protocol. 'This left the user vulnerable: an attacker with privileged network access could intercept the HTTP request and redirect the user to a phishing website,' Mysk told 9to5Mac,' the report says.
Before you panic too much, in most circumstances, the level of risk was low. 'Most modern websites nowadays allow unencrypted HTTP connections but automatically redirect them to HTTPS using a 301 redirect. It's important to note that while the Passwords app before iOS 18.2 would make a request over HTTP, it would redirected to the secure HTTPS version. Under normal circumstances, this would be totally fine, as the password changes occur on an encrypted page, ensuring that credentials are not sent in plaintext,' 9to5Mac says.
That's a relief, but we're not quite out of the woods yet, as there is one particular circumstance where things are not so rosy, though it must be said this is not a common occurrence.
'It becomes a problem when the attacker is connected to the same network as the user (i.e. Starbucks, airport, or hotel Wi-Fi) and intercepts the initial HTTP request before it redirects. From here they could manipulate the traffic in a few ways… This includes modifying the request to redirect a phishing site that resembles [a website's]
The patch arrived on Dec.11, 2024, though it was only disclosed by Apple on March 17, 2025.
What is key is that it is fixed—Apple does not routinely reveal flaws until they have been sorted to prevent bad actors getting involved.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Tom's Guide
an hour ago
- Tom's Guide
Gemini Live is free for iPhone users — here's how to share your screen and camera
Gemini Live used to be restricted to Gemini Advanced users, but that's not the case any more. You can now use it for free on your iPhone and, what's more, the app also boasts camera and screen sharing capabilities. These features are no mere gimmicks. They're super-useful for getting information about what's either in front of the lens or on your iPhone screen, with the AI more than capable of answering all manner of questions about what it can see. It's a great, natural way to get answers about all manner of things such as the identify of a specific breed of animal or plant. It could help you to troubleshoot or spark creative possibilities. Let's see how it all works. Make sure you install the latest version of Google Gemini on your iPhone then tap the Live icon which you will find in the bottom-right corner of the Ask Gemini box. You will be told that Live requires your microphone to be turned on and that your interactions will be shared and saved. If you are happy to proceed, tap OK. You will then need to tap Allow when asked for access to your iPhone's mic. When you use Gemini Live for the first time, you'll be asked to choose a voice. Do so and you will be taken to the main Gemini Live interface where you can tap the pause button to put the mic on hold, or tap X to end the conversation. We're not going to do either of these things just yet, though. You may, at this point, want to try out Gemini Live by verbally uttering some questions. If there is something in your immediate environment that you'd like to discuss — let's say, for instance, there's a tree you'd like to identify, you need to tap the Camera icon in the bottom-left corner of the screen. Allow Gemini to access the camera and then it will show whatever can be seen by the rear-facing lens. To change the camera perspective to the front-facing one, press the icon in the bottom-corner of the image. Point the camera towards the object you'd like to discuss and then ask a question. Gemini will listen to what you have to say and then give you a verbal response. You can keep up the conversation if you wish or tap the Camera to turn it off again. The camera will also turn off if you put Live on hold, leave the Gemini mobile app or allow the screen to lock. If you've got something on your screen that you want to discuss, you can pop into Gemini Live and press the upward-facing arrow icon. This will allow your screen to be recorded and shared with Gemini. Just tap Start Broadcast. There are some obvious security implications –— literally everything on your screen is going to be shared so if you start moving from app to app while this feature is active, you could easily share personal information. Gemini advises you swipe down from the right of the screen to open the Control Center on your iPhone and tap Do Not Disturb. This will prevent unexpected notifications. When you are viewing the screen you would like to discuss with Gemini, just verbally ask a question. Gemini will give you an answer. The iPhone's Dynamic Island will show you Gemini controls so you can tap the Share button to switch off sharing. You can also go back to the Gemini app and tap the Share button there to deactivate it. A transcript of the conversation will then be shown. The screen will also stop being shared if you hold or lock the screen. It won't obviously stop if you leave the Gemini app, though, unless you close it. There you go! You now know how to share your screen and camera in Gemini Live on iPhone. While you're here, why not take a look at some other useful Gemini guides? Check out 5 smart ways to use Gemini Live with your phone right now and how to use Google Gemini to summarize a YouTube video. And if you want to write smarter prompts in Gemini, here's 5 tips to get better results. Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Tom's Guide
an hour ago
- Tom's Guide
Massive 16 billion password data breach LIVE — latest updates, find out if you're affected and how to stay safe
A massive 16 billion login credentials have been exposed in one of the larget data breaches in history, with datasets from Apple, Google, Facebook and more being compromised. A Cybernews report details that records from over 30 databases have been stolen, with each containing up to 3.5 billion passwords from social media and VPN logins to corporate platforms and developer platforms. The recent data breach contains a massive amount of information that can affect billions of online account, as cybercriminals now have access to a mass amount of login credentials. Here are the latest updates on the data breach, how to find out if you're affected and how to stay safe. Currently, nearly all major platforms have been affected by the breach, including Apple accounts (formerly Apple IDs), Gmail, Facebook accounts and GitHub as well as instant messaging platforms like Telegram and both commercial and government platform portals. The data appears to contain URLs, usernames and passwords. However, with the unfathomable size of the data that's been exposed, there's now way to tell how many accounts are currently under threat. The stolen data appears to come from several infostealers, and while the datasets are new, the sheer amount of info could also be from a mix of different datasets from previous breaches, including a database containing 184 million records discovered in May this year. With the 16 billion login credentials now being exposed, it's important to check if your account has been exposed and to stay safe. First, the best way to keep your account secure is to enable two-factor authentication (2FA). This will stop threat actors from easily accessing your online accounts, as a second form of authentication through an app, phone, passcode or a physical USB key will need to be approved by you. If you haven't already, find out how to enable 2FA right now. Second, to find out if your login credentials have been affected, use Have I Been Pwned and check if your email is in the clear. If you have, follow these steps:
Tom's Guide
an hour ago
- Tom's Guide
I took the Cybertruck of electric scooters for a test ride — 3 things I like, 1 thing I don't, and 1 I dunno
As electric scooters and electric bikes gain popularity, could electric mopeds and motorcycles be far behind? How about one that looks like it comes from the future? The Infinite Machine P1 is an electric moped that has a futuristic, cyberpunk-like design, as if you took an 80s Lamborghini Countach and put it on two wheels. Available now for $10,000 — the company is in its early stages — it definitely looks different than every other scooter out there. I took the P1 for a test ride around Long Island City, NY, to see what it could do — and if it's worth its price. Here's my impressions. Top speed: 65mphRange: 60 milesBattery: 72V, 45Ah Motor: 6kW rear hubPrice: $10,000 It was fast Cruising around the streets of Queens, it was hard to really open up the throttle of the P1, but when I got the chance to try it even a little, I was thrown back into my seat as the machine took off. Its throttle was very responsive, accelerating at the slightest twitch of my hand, which made it easy to maneuver at slow speeds, when all I needed was a short burst here and there. You can set it to operate in three riding modes (you can limit it to under 30mph or, if you have a motorcycle license set it to its max of 65mph), plus there's a Turbo Boost button to blast you out even faster. I didn't dare try this on the streets. It was a smooth ride Infinite Machines' showroom is in Long Island City, New York, which afforded me some great views of Manhattan as I was cruising around. Part of the charm of this neighborhood are its cobblestone streets, which, while lovely to look at, can be a nightmare for anyone on two wheels. So, I was pleasantly surprised to find that the P1 handled these bumps with ease; while there was a little bit of rumbling underfoot, the whole experience was far more pleasant than I anticipated. Its ABS brakes were also very responsive, stopping the P1 very quickly. Smart features When you first turn the P1 on, you're greeted with a huge display in between the handlebars. Even better, if you connect your iPhone, it will work with CarPlay, so you can get a massive map and navigation features right before your eyes. There's some other nice tech features: You can lock and unlock the P1 via NFC, it has GPS location tracking, and also boasts front and rear cameras to not only record your rides, but provide extra safety when backing up. An alarm system will also sound a siren and immobilize the scooter if someone tries to make off with it. The P1's 3.2 kWh/45Ah battery is also removable, so you can charge it up separately from the scooter itself, which is handy if you have to park it in a public space. The price At $10,000, the P1 is not a cheap bike, even by electric moped standards. By comparison, the Vespa Elettrica is $8,000, and the NIU NQI GTS starts at $4,800. So, you're definitely paying a premium for this ride. I get that Infinite Machines is a small start-up, so their costs are going to be higher than a bigger manufacturer. Here's hoping that its future mopeds will cost less. In the meantime, if it's the design you're after, the company also announced the Olto, a really cool-looking electric bike (also for a rich $3,495) that has a top speed of 33mph and a range of up to 40 miles. It will ship this fall. Fairly or unfairly, the Infinite Machines' P1 looks very similar to the Tesla Cybertruck (there's no affiliation between the two companies). I'm sure when the P1's design was originally developed, Elon Musk enjoyed a much higher reputation than he does now. Maybe the company should sell stickers that say "this was designed before I knew Elon was crazy." Still, it is an eye-catching design. During my test ride, one passerby even commented "cool bike" as he walked in front of me. If we're going for sci-fi movie comparisons, it gives off more "Judge Dredd" than "Tron" vibes. Time will tell if its look becomes as iconic as a Vespa. I also wish the seat compartment were a touch bigger, so it could accommodate a helmet. While it does have a locking hook where you can attach the chinstrap, I'd prefer something more fully concealed. I didn't hate the design of the P1, but it's definitely an acquired taste. One advantage to its flat sides, though, is that if you drop the bike — accidentally or otherwise — the fact that there's no protruding surfaces means you're less likely to dent the panel. And, in the event you do, it can be unscrewed and replaced fairly easily. I genuinely enjoyed my time riding around Queens on the Infinite Machine P1; it was fast, smooth, and comfortable, and its unique design certainly made it stand out. owever, I'd have to really think hard about buying one, and how much I'd use it, before plunking down ten grand. (I'm also really tempted by company's new electric bike, the Olto, which also isn't cheap, but it's more attainable). Despite its high price, the company's first two batches sold out; you'll have to wait until the fall if you order one from its third batch now. So apparently the company is doing something right. Is this a bike you would ride? Let me know in the comments.
