Apple Passwords app: Problematic bug is said to have existed for months
Attackers in a “privileged network position”, i.e., on the same Wi-Fi network, could read details from Apple's Passwords app. This allowed attacks.
Apple logo on the hook (symbolic image): Passwords app vulnerable to phishing for several months.
(Image: Erstellt mit Midjourney durch Mac & i)
With the iOS 18.2 released in December, Apple fixed a security vulnerability that affected the Passwords app. Details have now been published by security researcher Tommy Mysk. According to this, it was at least theoretically possible to carry out certain types of phishing attacks on users in the same network for several months. The reason: Apple simply did not encrypt various queries from the password application. The data traffic could therefore be recorded, for example, if you were in a WLAN or Ethernet network with the victim.
Unencrypted redirection to password reset website
It is unclear why it took so long for Apple to release a patch – iOS 18 was released with the bug back in September –. The simple description of the problem according to Apple: “A user in a privileged network position can leak sensitive information.” The problem has been fixed by encrypting data traffic with HTTPS. In addition to iOS, iPadOS up to 18.2 was also affected.
The error was discovered after the so-called App Privacy Report of a Mysk device displayed the contacting of 130 different websites via an insecure HTTP connection. It turned out that account logos and/or icons were being requested. In addition, the default setting was that known password reset forms were initially called up by the app without encryption. As Mysk told the Apple blog 9to5Mac, this allowed such a request to be intercepted and redirected to a phishing website.
Icon query cannot be prevented
It is unclear whether such attacks actually occurred. Apple does not cite any reports available to the company. “We were surprised that Apple did not enforce HTTPS by default for such a sensitive app,” writes Mysk. There is also another problem: the app does not allow you to prevent icons from being requested.
“I don't feel comfortable with my password manager constantly pinging every website for which I manage a password with it – even if the calls that the password app sends don't contain an ID.” However, it is conceivable that Apple does this via a proxy. However, this simply must not be unencrypted. Mysk demonstrated the attack he discovered using, among other things, a website that faked Live.com from Microsoft and then used it to access passwords.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
