Latest news with #Passwords
Fox News
24-03-2025
- Fox News
Apple fixes Passwords app vulnerability enabling Wi-Fi attacks
Do you remember Apple's "Privacy. That's iPhone" marketing campaigns? If you're not aware, the company likes to portray its products as being synonymous with privacy. However, the recent wave of security vulnerabilities affecting iPhones and Macs suggest Apple's products may not be as secure as advertised. A recent security blunder only reinforces this point. Security researchers discovered that Apple's built-in password manager app, Passwords, was vulnerable to phishing attacks for nearly three months after launch. This meant an attacker on the same Wi-Fi network as you, like at an airport or coffee shop, could redirect your browser to a lookalike phishing site to steal your login credentials. Security researchers at Mysk, noticed that Apple's Passwords app, introduced with iOS 18 in September 2024, had a significant security flaw that left users vulnerable to phishing attacks for nearly three months. The app used unencrypted HTTP connections instead of the more secure HTTPS to fetch logos and icons displayed alongside stored passwords. This allowed attackers on the same network, such as public Wi-Fi at a coffee shop or airport, to intercept these requests and potentially redirect users to phishing sites designed to steal login credentials. The issue remained unresolved from iOS 18's launch in September 2024 until Apple fixed it in December 2024, leaving users exposed for nearly three months. If someone opened the Passwords app and tapped a link, like "Change Password," while connected to an insecure network, an attacker could intercept the request and redirect them to a fraudulent site mimicking a legitimate one, such as a fake Yelp login page. Since the app did not enforce HTTPS, users might not notice the switch, putting their sensitive information at risk. Apple addressed the problem after security researchers from Mysk reported it in September 2024. The iOS 18.2 update, released in December, patched the vulnerability by enforcing HTTPS for all network communications within the Passwords app, making it much harder for attackers to intercept or redirect traffic. If you're using an iPhone or iPad with the Passwords app, ensure your device is updated to iOS 18.2 or later. This ensures you're protected from this vulnerability. If you haven't updated yet and used the app on public Wi-Fi between September and December 2024, consider changing passwords for any accounts you accessed during that period, just to be safe. Follow the steps to update your iPhone or iPad: Apple's recent security blunder with the Passwords app highlights the importance of taking steps to protect your digital identity. Here are some ways you can stay safe from hackers targeting your passwords. 1) Use a reliable password manager: Apple apps are generally more secure than third-party options, but the Passwords app clearly wasn't. The fact that the security vulnerability existed for three months before Apple fixed it proves that Apple needs to put more emphasis on keeping customer data secure. I'd suggest opting for a reliable password manager instead of relying on Apple's offering. Get more details about my best expert-reviewed password managers of 2025 here. 2) Enable two-factor authentication (2FA): It's good to have a password manager, but you know what's even better? 2FA. Adding an extra layer of security with 2FA can prevent hackers from accessing your accounts, even if they steal your password. Use authentication apps like Google Authenticator, Microsoft Authenticator or hardware security keys instead of SMS-based codes, which are vulnerable to SIM-swapping attacks. 3) Avoid public Wi-Fi for sensitive activities and use a VPN: Hackers can exploit unsecured public networks to intercept your login credentials. If you must access sensitive accounts on public Wi-Fi, use a VPN to encrypt your internet traffic and prevent attackers from snooping on your data. VPNs will protect you from those who want to track and identify your potential location and the websites that you visit. A reliable VPN is essential for protecting your online privacy and ensuring a secure, high-speed connection. For the best VPN software, see my expert review of the best VPNs for browsing the web privately on your Windows, Mac, Android and iOS devices. 4) Beware of phishing attacks and install strong antivirus software: You can have all the protection in the world but a phishing email or SMS can still cause havoc. Hackers often use fake login pages to trick you into entering your credentials. Always verify URLs before entering login details, avoid clicking on suspicious links in emails or messages. The best way to safeguard yourself from malicious links is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices. 5) Keep your devices updated: Regularly update your devices and software to ensure you have the latest security patches. 6) Regularly monitor all your accounts: Monitor your accounts for suspicious activity and report any unusual transactions or login attempts to Apple. Three months is a long time for a security flaw in a password manager to go unpatched, especially from a company that presents itself as a leader in privacy and security. This incident highlights a troubling reality. Apple's security measures are not infallible, and even built-in system apps can expose users to serious risks. While the fix eventually arrived, it should not have taken this long for such a fundamental issue to be addressed. If Apple wants to maintain its privacy-first image, it needs to do better by ensuring more rigorous security testing before launch. Do you think Apple is doing enough to stay ahead of evolving cyber threats or are there additional steps the company should take to protect its users? Let us know by writing us at For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Alert: Malware steals bank cards and passwords from millions of devices. Follow Kurt on his social channels: Answers to the most-asked CyberGuy questions: New from Kurt: Copyright 2025 All rights reserved.
Forbes
20-03-2025
- Forbes
Apple iPhone Passwords Had A Real-World Flaw For Almost 3 Months
The arrival of the Passwords app for the iPhone in iOS 18 was welcome. It took the useful-but-hard-to-find Keychain password management feature and turned it into a highly convenient standalone app. But it now turns out that for several months, it may not have been secure as we might have liked. Apple iPhone 16 CFOTO/Future Publishing via Getty Images According to 9to5Mac, the app was vulnerable thanks to an HTTP bug which could have left users vulnerable to phishing attacks. It was only fixed in iOS 18.2, almost three months after the Passwords app landed. Which is not exactly what you'd be hoping for in an app that holds your passwords. 'Security researchers at Mysk first discovered the flaw after noticing that their iPhone's App Privacy Report showed Passwords had contacted a staggering 130 different websites over insecure HTTP traffic. This prompted the duo to investigate further, finding that not only was the app fetching account logos and icons over HTTP—it also defaulted to opening password reset pages using the unencrypted protocol. 'This left the user vulnerable: an attacker with privileged network access could intercept the HTTP request and redirect the user to a phishing website,' Mysk told 9to5Mac,' the report says. Before you panic too much, in most circumstances, the level of risk was low. 'Most modern websites nowadays allow unencrypted HTTP connections but automatically redirect them to HTTPS using a 301 redirect. It's important to note that while the Passwords app before iOS 18.2 would make a request over HTTP, it would redirected to the secure HTTPS version. Under normal circumstances, this would be totally fine, as the password changes occur on an encrypted page, ensuring that credentials are not sent in plaintext,' 9to5Mac says. That's a relief, but we're not quite out of the woods yet, as there is one particular circumstance where things are not so rosy, though it must be said this is not a common occurrence. 'It becomes a problem when the attacker is connected to the same network as the user (i.e. Starbucks, airport, or hotel Wi-Fi) and intercepts the initial HTTP request before it redirects. From here they could manipulate the traffic in a few ways… This includes modifying the request to redirect a phishing site that resembles [a website's] The patch arrived on Dec.11, 2024, though it was only disclosed by Apple on March 17, 2025. What is key is that it is fixed—Apple does not routinely reveal flaws until they have been sorted to prevent bad actors getting involved.
Yahoo
04-03-2025
- Yahoo
How to Safeguard Your Most Important Logins with Apple's Passwords App
You already know you should create unique passwords for every website to protect your sensitive information, but keeping track of them all is a burden. Apple created its own Passwords app to make it easy to securely store and easily recall them. You can finally ditch those sticky notes hanging from your computer. Apple's new Passwords app brings all your passwords and passkeys under one secure umbrella and is available now in iOS 18, iPadOS 18 and MacOS Sequoia. If you're ready to tame your tangle of passwords, this guide covers the main features of the Passwords app and how to easily access your critical information when you need it. It primarily covers Passwords from the point of view of the MacOS app, but the basics apply to the iPhone and iPad apps, too. For more of what you can find in iOS 18 and MacOS Sequoia, read how to get more from your iPhone with nine unique iOS 18 features and eight real-world uses for iPhone mirroring in iOS 18 and MacOS Sequoia. If the Passwords app sounds familiar, that's because storing passwords isn't new to Apple's operating systems. The app accesses a set of low-level Keychains that the operating systems use to store sensitive information such as credentials for websites and apps and security certificates. Until now, this was difficult to access -- you had to open the more technical Keychain Access app (which is still available) or dig into system settings or Safari's preferences to find them. The new Passwords app pulls all that data together into a simple interface that lets you add and edit passwords, generate automatic verification codes, create passkeys and share selected entries with other people. If you've used Apple's Reminders app, the look and approach will be familiar. If you enable iCloud Keychain (in Settings > [Your Name] > iCloud > Saved to iCloud > Passwords and Keychain), the encrypted data securely syncs to the Passwords app on each of your devices. It runs as a standalone app and ties into Safari to autofill site passwords. You can also access your passwords from a menu bar item. If your preferred browser on the Mac is Chrome or a Chromium-based browser such as Opera, you can install the iCloud Passwords extension for Chrome; Apple doesn't offer an official add-on for Firefox or DuckDuckGo, so be mindful of extensions that claim to work with iCloud Passwords. Most of your passwords are likely for signing into websites such as your bank, online stores and other outlets. When you sign up for an account at a new site using Safari, Passwords prompts you to create a randomly generated secure password. Choose Use Strong Password, which creates a new entry in the app. The Passwords app doesn't need to be open for this to work, since it's integrated at the system level. The advantage of having a standalone Passwords app is to give you a better way to create and manage these passwords. Most of the time you'll be prompted to create a new password, there will be times when you'll need to manually do it. 1. Open the Passwords app and authenticate with your system password, Touch ID, Face ID or device passcode.2. Click the + button or choose File > New Password.3. Enter a title for the entry.4. Type your user name in the User Name field (which could be an email address, depending on what the app or service requires).5. Click the Password field and choose a secure password option that appears. You can also type directly into the field, but too often people use easily guessed or repeated passwords -- stick with the randomized ones the Passwords app is suggesting.6. If you have any other information, such as recovery codes or details about an app purchase, enter those in the Notes field.7. Click Save. When you create a password using this method, there's no Website field -- Passwords lean heavily on the process of capturing login information when you're using the site's fields to sign up or log in. You can add a link separately by clicking the Edit button in the entry you created and then typing or pasting the address in the Website field. The next time you return to a site and need to sign in, you'll be prompted to use Passwords to autofill your stored information. Select the account that appears in the pop-up and then authenticate using Touch ID or Face ID, depending on your device. If the autofill prompt doesn't appear, go to the Passwords Menu Bar item and search for the site there. Select it and then click the User Name or Password fields (or one and then the other) to copy the content and paste it into your browser. Having a secure password is just the first security step in this day and age. Many sites now recommend (or outright require) a two-factor authentication option as well. Sometimes this is the mobile number you use for texting to receive a one-time code that expires after a set amount of time. Or it could be an automatic verification code that randomizes every 30 seconds. To set up 2FA on a site, sign in to it and access your account settings. Look for an option such as "Sign up for two-factor authentication" or similar. Enter your phone number or email address -- the type depends on what the site is using -- and send it. The site then sends a verification code in the method you supplied. That might be all the site requires. The next time you sign in, you'll be prompted to authenticate using that method, in which case you'll get a new code. The system can automatically delete a text message or email containing the code when you're done with it -- after all, that number combination will never work again. Go to System Settings > General > AutoFill & Passwords and turn on Verification Codes: Delete After Use. There may also be another level of authentication that doesn't rely on sometimes spotty SMS networks and email servers. The site may accept a continuously changing code that is tied to your account, which can be generated at filled in using the Passwords app. Here's how to set that up: 1. In the two-factor authentication process, you'll likely be given a QR code to set up a verification code. Control-click the code and choose Set Up Verification Code from the contextual menu.2. In the Passwords app, which automatically opens, select the entry for that site.3. Click Add Verification Code. Return to Safari and click the field asking for the verification code. A Passwords pop-up will appear for you to authenticate by entering the current code. If that doesn't appear, go to the Passwords app, click the Verification Code field and choose Copy Verification Code. Then paste it into the field in Safari. The next time you log into that site, using Autofill will also apply the current verification code. On the iPhone, the process is similar: When presented with a QR code, touch and hold it, then choose to Add Verification Code in "Passwords". What if I told you we could just forget about passwords altogether? No more requirements that a password include at least 12 characters and numbers and special characters, not be a password you've used previously and also reference your favorite movie genre as expressed in prime numbers. That's the promise of passkeys, a way of authenticating you using the secure hardware you're already using. With a passkey in place, you can sign into a site or app using Face ID or Touch ID on your iPhone, iPad, Mac or Vision Pro -- without typing a single character. Setting up a passkey is similar to a 2FA method: Sign in to your account on a service that supports passkeys, view your account security settings and look for an option to create a passkey or security key. You'll get a prompt to store the passkey using Touch ID or Face ID (depending on the device you're using). When you next sign in to that site, you won't see a password field at all: it prompts you to use the passkey instead. Not only are they more convenient, but passkeys are also more secure. One of the biggest problems with passwords today isn't the danger that someone will somehow break into your devices and steal yours -- it's the industrial-scale theft of thousands or millions of passwords from the companies you've created passwords for as a result of hackers breaking into those servers. That's useful for sites such as Amazon, Shopify and Uber, for example, which contain valuable sensitive information about their customers and are frequent targets for hackers. Your passwords are private, but sometimes you need to share them with someone. For example, let's say you and your spouse share a login to access a regular food delivery service. You can add the site's login information to a shared group in Passwords so you both have access to it. If you need to change that password, it's automatically updated in the Passwords app on their devices too. If you're using a passkey on your devices, they can also log in using a passkey that's created for their devices, securely tied to their Apple Account. Sharing passwords involves creating a new shared group and then adding passwords to it: 1. In the Passwords app, click the + button that appears when you move the pointer over Shared Groups, or choose File > New Shared Group.2. Type a Group Name.3. Click the Add People button and choose the person from your contacts. Repeat if you're creating a group with several people.4. Click Create.5. In the next screen, search for (or scroll to locate) the password you want to share, and click the checkbox for it. Repeat for all of the passwords to share.6. Click Move.7. Optionally notify the other person by sending them a text message. Click Notify via Messages. Or click Not Now to not send a text -- they will still see the group invitation in their Passwords app. One great new feature in Passwords is a handy way to share a Wi-Fi password without divulging the password itself: You show someone a QR code that grants them access. You can also share a password with someone near you over AirDrop: 1. In the Passwords app, go to the password you want to share. 2. Click the Share button and authenticate to grant permission. 3. In the AirDrop window that appears, click the icon of the person near you. When the other person accepts, the password is added to their Passwords app. What if you already use another password app, such as 1Password or Bitwarden? You can export your passwords into the Passwords app on the Mac. But there are a few caveats. First, the Passwords app accepts only a CSV (comma-separated values) file, which is just a big unencrypted text file. Your current password tracker should be able to export the file, then go to File > Import Passwords in the Passwords app and select it. Then, and this is crucial, remember to securely delete that CSV file so all your passwords aren't sitting around vulnerable. You can do that in the Finder by deleting the file, which puts it into the Trash. Next, open the Trash, right-click or Control-click the file and choose Delete Immediately. The other thing to keep in mind about importing passwords is that not everything may come over. 1Password, for example, stores items such as secure notes and credit cards that are not imported into the Passwords app. When Apple announced the Passwords app as part of iOS 18 and MacOS Sequoia, some people wondered if the company had just "Sherlocked" other password keepers. The term comes from an old MacOS feature called Sherlock, which lets you search your computer for more than just file names. Other search utilities did the same thing, but when Apple built the feature into the system, it killed the market for many of those third-party apps. On the surface, it sure sounds like Apple Sherlocked utilities such as 1Password, Bitwarden and LastPass (although LastPass and its poor security have done more damage to itself). Although Passwords assumes the core functions of storing and applying passwords, other apps still have their own advantages: Sharing between platforms: Other apps have iOS, MacOS, Windows and Android apps. Sharing between family members on different platforms: Similarly, if you want to share passwords with someone who isn't in the Apple ecosystem, a third-party app is the alternative. Other types of secure information: If you want to store sensitive data like notes, documents, credit cards and bank account numbers in one place, look to another app.
