Apple fixes Passwords app vulnerability enabling Wi-Fi attacks

Do you retrieve Apple’s "Privacy. That's iPhone" selling campaigns? If you’re not aware, the institution likes to represent its products arsenic being synonymous with privacy. However, the caller question of information vulnerabilities affecting iPhones and Macs suggest Apple’s products whitethorn not beryllium arsenic unafraid arsenic advertised.

A caller information blunder lone reinforces this point. Security researchers discovered that Apple’s built-in password manager app, Passwords, was susceptible to phishing attacks for astir 3 months aft launch. This meant an attacker connected the aforesaid Wi-Fi web arsenic you, similar astatine an airdrome oregon java shop, could redirect your browser to a lookalike phishing tract to bargain your login credentials.

Stay protected & informed! Get information alerts & adept tech tips – motion up for Kurt’s The CyberGuy Report now.

A idiosyncratic holding an iPhone (Kurt "CyberGuy" Knutsson)

What you request to know

Security researchers at Mysk, noticed that Apple's Passwords app, introduced with iOS 18 successful September 2024, had a important information flaw that near users susceptible to phishing attacks for astir 3 months.

The app utilized unencrypted HTTP connections alternatively of the much unafraid HTTPS to fetch logos and icons displayed alongside stored passwords. This allowed attackers connected the aforesaid network, specified arsenic nationalist Wi-Fi astatine a java store oregon airport, to intercept these requests and perchance redirect users to phishing sites designed to bargain login credentials.

The contented remained unresolved from iOS 18’s motorboat successful September 2024 until Apple fixed it successful December 2024, leaving users exposed for astir 3 months. If idiosyncratic opened the Passwords app and tapped a link, similar "Change Password," portion connected to an insecure network, an attacker could intercept the petition and redirect them to a fraudulent tract mimicking a morganatic one, specified arsenic a fake Yelp login page. Since the app did not enforce HTTPS, users mightiness not announcement the switch, putting their delicate accusation astatine risk.

A pistillate connected her iPhone (Kurt "CyberGuy" Knutsson)

HOW TO PROTECT AN IPHONE & IPAD FROM MALWARE IN 2025

Apple has fixed the contented now

Apple addressed the occupation aft information researchers from Mysk reported it successful September 2024. The iOS 18.2 update, released successful December, patched the vulnerability by enforcing HTTPS for each web communications wrong the Passwords app, making it overmuch harder for attackers to intercept oregon redirect traffic.

If you’re utilizing an iPhone oregon iPad with the Passwords app, guarantee your instrumentality is updated to iOS 18.2 oregon later. This ensures you’re protected from this vulnerability. If you haven’t updated yet and utilized the app connected nationalist Wi-Fi betwixt September and December 2024, see changing passwords for immoderate accounts you accessed during that period, conscionable to beryllium safe. 

How to update the bundle connected your iPhone

Follow the steps to update your iPhone oregon iPad:

• Tap on Settings
• Tap on General
• Tap on Software Update
• If an update is available, it volition springiness you the enactment to download and install

Software update (Kurt "CyberGuy" Knutsson)

YOUR IPHONE HAS A HIDDEN FOLDER EATING UP STORAGE SPACE WITHOUT YOU EVEN KNOWING

6 ways you tin enactment harmless from hackers targeting your passwords

Apple's caller information blunder with the Passwords app highlights the value of taking steps to support your integer identity. Here are immoderate ways you tin enactment harmless from hackers targeting your passwords.

1) Use a reliable password manager: Apple apps are mostly much unafraid than third-party options, but the Passwords app intelligibly wasn’t. The information that the information vulnerability existed for 3 months earlier Apple fixed it proves that Apple needs to enactment much accent connected keeping lawsuit information secure. I’d suggest opting for a reliable password manager alternatively of relying connected Apple’s offering. Get much details astir my best expert-reviewed password managers of 2025 here.

2) Enable two-factor authentication (2FA): It’s bully to person a password manager, but you cognize what’s adjacent better? 2FA. Adding an other furniture of information with 2FA tin forestall hackers from accessing your accounts, adjacent if they bargain your password. Use authentication apps similar Google Authenticator, Microsoft Authenticator oregon hardware information keys alternatively of SMS-based codes, which are susceptible to SIM-swapping attacks.

3) Avoid nationalist Wi-Fi for delicate activities and usage a VPN: Hackers tin exploit unsecured nationalist networks to intercept your login credentials. If you indispensable entree delicate accounts on public Wi-Fi, usage a VPN to encrypt your net postulation and forestall attackers from snooping connected your data. VPNs volition support you from those who privation to way and place your imaginable determination and the websites that you visit. A reliable VPN is indispensable for protecting your online privateness and ensuring a secure, high-speed connection. For the champion VPN software, spot my adept reappraisal of the champion VPNs for browsing the web privately connected your Windows, Mac, Android and iOS devices.

4) Beware of phishing attacks and instal beardown antivirus software: You tin person each the extortion successful the satellite but a phishing email oregon SMS tin inactive origin havoc. Hackers often usage fake login pages to instrumentality you into entering your credentials. Always verify URLs earlier entering login details, debar clicking connected suspicious links successful emails oregon messages. The champion mode to safeguard yourself from malicious links is to person antivirus bundle installed connected each your devices. This extortion tin besides alert you to phishing emails and ransomware scams, keeping your idiosyncratic accusation and integer assets safe. Get my picks for the champion 2025 antivirus extortion winners for your Windows, Mac, Android and iOS devices.

5) Keep your devices updated: Regularly update your devices and bundle to guarantee you person the latest information patches.

6) Regularly show each your accounts: Monitor your accounts for suspicious enactment and study immoderate antithetic transactions oregon login attempts to Apple.

APPLE RELEASES EMERGENCY SECURITY UPDATE FOR SERIOUS VULNERABILITY

Kurt's cardinal takeaway

Three months is simply a agelong clip for a information flaw successful a password manager to spell unpatched, particularly from a institution that presents itself arsenic a person successful privateness and security. This incidental highlights a troubling reality. Apple’s information measures are not infallible, and adjacent built-in strategy apps tin exposure users to superior risks. While the hole yet arrived, it should not person taken this agelong for specified a cardinal contented to beryllium addressed. If Apple wants to support its privacy-first image, it needs to bash amended by ensuring much rigorous information investigating earlier launch.

Do you deliberation Apple is doing capable to enactment up of evolving cyber threats oregon are determination further steps the institution should instrumentality to support its users? Let america cognize by penning america at Cyberguy.com/Contact.

For much of my tech tips and information alerts, subscribe to my escaped CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.

Alert: Malware steals slope cards and passwords from millions of devices.

Ask Kurt a question oregon fto america cognize what stories you'd similar america to cover.

Follow Kurt connected his societal channels:

• Facebook
• YouTube
• Instagram

Answers to the most-asked CyberGuy questions:

• What is the champion mode to support your Mac, Windows, iPhone and Android devices from getting hacked?
• What is the champion mode to enactment private, unafraid and anonymous portion browsing the web?
• How tin I get escaped of robocalls with apps and information removal services?
• How bash I region my backstage information from the internet?

New from Kurt:

• Try CyberGuy's caller games (crosswords, connection searches, trivia and more!)
• CyberGuy's exclusive coupons and deals

Copyright 2025 CyberGuy.com. All rights reserved.