While Apple has offered password management solutions for years, it was only this past fall that the company finally rolled out a dedicated passwords app , appropriately named “Passwords.” It’s a bit basic, but it’s built into the OS, and it gets the job done. (It’s also free, which helps.) If you’re fully into the Apple ecosystem, it’s an easy way to create, store, and access the passwords of your numerous accounts. However, as it happens, Passwords has a critical security flaw that Apple only recently addressed.
Here’s the situation: Passwords has a security feature that helps you change an account’s password directly within the Passwords app. This is particularly helpful if the app detects that one of your accounts’ passwords has been compromised. You can tap on the account, choose “Change Password…” and open an in-app browser that will direct you to the account’s website, where you can change your password.
As convenient as this feature is, it contained a significant security risk. As discovered by security researchers with Mysk, whenever you tapped “Change Password…” on an account, Passwords would connect to the site using an unencrypted HTTP protocol, before redirecting to the encrypted HTTPS protocol. This encryption protects your connection between your device and the website you’re visiting . Without it, an actor with privileged network access could take over the connection and redirect the link.
Let’s say the Passwords app warns you that your Yelp password has been compromised, and you need to change it. No problem: You tap your Yelp account in the app, then choose “Change Password…” However, a bad actor follows your activity, and before the real Yelp website can load, they redirect you to a fake Yelp site. Here, the fraudulent page encourages you to share your sensitive information, and since you think you’re visiting the real Yelp site, perhaps you do. And just like that, you’ve been phished.
As Mysk tells 9to5Mac , “We were surprised that Apple didn’t enforce HTTPS by default for such a sensitive app… Additionally, Apple should provide an option for security-conscious users to disable downloading icons completely. I don’t feel comfortable with my password manager constantly pinging each website I maintain a password for, even though the calls Passwords sends don’t contain any ID.”
This problem isn’t contained to the Passwords app, however. According to Mysk, this flaw has existed since Apple rolled out the ability to detect compromised passwords in iOS 14, all the way back in 2020:
This Tweet is currently unavailable. It might be loading or has been removed.
How to fix this ‘Passwords’ security flaw
Apple quietly addressed this problem with the release of iOS 18.2 . That update launched in December 2024, so changes are good you’ve updated your iPhone since then.
However, if you haven’t, you need to update to the latest version of iOS as soon as possible. (As of this article, that’s iOS 18.3.2 , which coincidentally contains another important security patch.) To update now, head to Settings > General > Software Update, then follow the on-screen instructions to download and install the update.
