Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Introduction
The Apple Password App vulnerability is a critical security flaw that left millions of iPhone users exposed to phishing attacks for nearly three months. Security researchers at Mysk discovered that the Passwords app used unencrypted HTTP connections instead of secure HTTPS. Therefore, attackers on the same Wi‑Fi network could intercept requests and redirect users to fake login pages. Apple quietly patched the issue in iOS 18.2. However, the flaw had been live since iOS 18 launched in September 2024.
This guide explains the vulnerability in detail. You will learn how the exploit worked. You will also find out which devices were affected. Finally, you will discover what to do to protect your credentials.
For the full picture of Apple’s 2026 security overhaul, read our main guide: Apple iPhone Security Changes 2026 .
What Was the Apple Password App Vulnerability?
The flaw affected the standalone Passwords app that Apple introduced with iOS 18 in September 2024. The app replaced the old Keychain‑based password manager. However, researchers at Mysk discovered a serious issue. The app sent unencrypted HTTP requests when fetching website icons and opening password reset pages. Consequently, an attacker on the same network could intercept these requests. The attacker could then redirect the user to a convincing phishing site.
The Mysk researchers explained: “An attacker with privileged network access could easily intercept the HTTP request and redirect the victim to a malicious website controlled by the attacker.”
The vulnerability earned a CVSS score of 9.1 (Critical). Security teams officially tracked it as CVE-2024-44276.
How Did the Exploit Work?
The attack required several conditions to align. First, the attacker needed to be on the same Wi‑Fi network as the victim. For example, this could happen at an airport, coffee shop, or hotel. Second, the victim had to open the Passwords app and tap a link, such as “Change Password.” Third, the Passwords app sent unencrypted HTTP requests for logos, icons, and password reset pages. An attacker could intercept these requests and swap in a fake login page. Finally, if the victim entered their credentials on the fake page, the attacker captured them.
The flaw did not affect the autofill function when signing into apps or websites. It only triggered when users launched a login page directly from the Passwords app.
Timeline of the Flaw
| Date | Event |
|---|---|
| September 16, 2024 | iOS 18 launches with the standalone Passwords app. The HTTP flaw is present from day one. |
| September 2024 | Mysk researchers discover the issue and report it to Apple. |
| December 11, 2024 | Apple releases iOS 18.2, which includes a patch. The patch enforces HTTPS for all network communications. |
| March 17, 2025 | Apple quietly updates its security content pages to disclose the Apple Password App vulnerability and its fix. 9to5Mac first reports on the issue. |
| May 26, 2025 | ngCERT issues an urgent alert about the flaw, urging users to update. |
The flaw remained unpatched for approximately three months. Therefore, users remained exposed from iOS 18’s launch until iOS 18.2’s release.
Which Devices Were Vulnerable?
The issue affected:
- iPhone XS and later (including iPhone 16 series)
- iPad Pro (13‑inch, 12.9‑inch 3rd gen and later, 11‑inch 1st gen and later)
- iPad Air (3rd generation and later)
- iPad (7th generation and later)
- iPad mini (5th generation and later)
- Macs running macOS Sequoia
| iOS Version | Vulnerability Status |
|---|---|
| iOS 18.0 – 18.1.1 | ❌ Vulnerable (no patch) |
| iOS 18.2 | ✅ Patched (HTTPS enforced) |
| iOS 18.3 and later | ✅ Protected |
| iOS 26 | ✅ Protected (already using HTTPS) |
Why Did Apple Delay Disclosure?
Apple delayed public disclosure of the Apple Password App vulnerability until March 2025. That was nearly three months after the patch released. Security experts say this is a common practice. It allows users time to update before attackers learn about the flaw. However, critics argue that the long delay left users in the dark. It may have also discouraged timely updates.
How Apple Fixed the Issue
Apple addressed the flaw in iOS 18.2 by enforcing HTTPS for all network communications within the Passwords app. The company’s official description reads:
“This issue was addressed by using HTTPS when sending information over the network.”
The fix applied not only to iOS but also to iPadOS, macOS Sequoia, and even visionOS for the Vision Pro headset. Apple credited Talal Haj Bakry and Tommy Mysk of Mysk Inc. for discovering the vulnerability.
Comparison Table – HTTP vs HTTPS in the Passwords App
| Aspect | Before Patch (HTTP) | After Patch (HTTPS) |
|---|---|---|
| Encryption | No encryption – plain text | End‑to‑end encryption |
| Intercept risk | High – attacker on same network can see traffic | Low – encrypted traffic cannot be read |
| Redirection risk | Yes – attacker can redirect to fake site | No – HTTPS prevents tampering |
| Privacy | Poor – logos and icons exposed | Strong – all data encrypted |
| User action needed | None (default behavior) | None (automatic after update) |
Real‑World Applications
- For everyday users: If you used the Passwords app on public Wi‑Fi between September and December 2024, your credentials may have been at risk. Consider changing passwords for sensitive accounts.
- For businesses: Employees using company iPhones on public networks may have exposed corporate credentials. IT teams should verify that all devices run iOS 18.2 or later.
- For security researchers: This case shows that even Apple’s most sensitive apps can ship with basic security flaws.
- For Apple: The incident highlights the need for stricter internal security reviews before shipping new features.
FAQ Section
Q1: What is the Apple Password App vulnerability in simple terms?
A: The flaw meant the Passwords app used unencrypted HTTP instead of secure HTTPS. Attackers on the same Wi‑Fi could intercept requests and send users to fake login pages to steal their passwords.
Q2: Which iOS versions were affected?
A: iOS 18.0 through 18.1.1 were vulnerable. iOS 18.2 (released December 11, 2024) patched the issue. All later versions are protected.
Q3: Was I affected if I never used the Passwords app?
A: No. The vulnerability only triggered when you opened the Passwords app and tapped a link, such as “Change Password.” If you never used the app or only used autofill, you were likely safe.
Q4: What should I do now?
A: Update your iPhone to iOS 18.2 or later immediately. Then change passwords for any sensitive accounts (banking, email, work) that you accessed during the vulnerable period.
Conclusion
The Apple Password App vulnerability was a serious oversight. Apple shipped an app designed to protect credentials but forgot to use HTTPS. For three months, millions of iPhone users faced phishing risks on public Wi‑Fi. Apple has since patched the issue. However, this incident reminds us to install software updates promptly and avoid sensitive actions on untrusted networks.
Next step: Learn how to enable Lockdown Mode for extra protection with our guide on Lockdown Mode Explained .
