Application Passwords, which Apple introduced to simplify credential management on its devices, has been at the center of a recent controversy after a serious vulnerability was discovered.
Researchers at cybersecurity firm Mysk found that the tool exposed thousands of users to potential phishing attacks due to its use of unencrypted HTTP connections. To learn more about how to avoid falling victim to these threats, you can read how Apple helps us identify legitimate emails and prevent phishing.
This security vulnerability has reportedly been in place for several months, allowing attackers with network access to intercept and modify password reset requests. This means that, under certain conditions, a user could have been inadvertently redirected to a fake page designed to steal their credentials.
How the phishing attack worked
According to the analysis of Mysk experts, the problem was that the application requested information about stored services without ensuring a secure connectionIn simple terms, any attacker connected to the same Wi-Fi network could intercept traffic and insert a fraudulent page instead of the legitimate site. This type of attack is common, as mentioned in the context of iPhone users being targeted for mass phishing.
This attack could have been easily carried out on public networks, such as those in coffee shops or airports, where cybercriminals often prey on unsuspecting victims. Once the user entered their details on the fake website, the information was in the hands of the attacker, who could use it to illegally access their accounts.
Apple reacts with a fix in iOS 18.2
Although the issue came to light recently, Apple fixed the vulnerability in December with the update iOS 18.2The solution implemented was the mandatory adoption of the protocol HTTPS in app connections, which prevents attackers from exploiting the security loophole. However, it's important to remember that online security also requires good practices, as you can read in our security tips for your iPhone.
However, the fact that this vulnerability has existed for so long undetected raises questions about Apple's security controls in its new apps. The company didn't publicly report the issue until researchers pointed it out, raising concerns among users and cybersecurity experts.
The risks of blindly trusting password managers
This type of failure calls into question the reliability of password managers built into operating systems. While tools like Apple's Passwords app offer convenience and increased security in many ways, no solution is completely foolproof. The general recommendation remains to have two-factor authentication (2FA) on all critical accounts, which adds a extra layer of protection in case credentials are compromised, especially since it is essential to use two-factor authentication to protect critical accounts like iCloud.
In addition, it is essential that users keep their devices updated with the latest versions of iOS, as many of these vulnerabilities are only corrected with Software updatesApple has strengthened its app protocol, but those who haven't updated their operating system could still be at risk of the issue.
Leaks and security breaches are a constant in the digital world, which underlines the necesidad to always be alert to potential risks. This incident with Apple's Passwords app is a reminder that even the most secure tools can fail at some point. The best defense remains a combination of good cybersecurity practices and the use of advanced protection technologies.
