Apple’s Password Manager Has Had a Major Security Flaw for Years
While Apple has been offering password management solutions for years, it wasn’t until last fall that the company finally released a dedicated password app, appropriately named Passwords. It’s a little basic, but it’s built into the OS and gets the job done. (It’s also free, which helps.) If you’re fully familiar with the Apple ecosystem, this is an easy way to create, store, and access passwords for your many accounts. However, as it turns out, Passwords has a serious security flaw that Apple only recently fixed.
Here’s the situation: Passwords has a security feature that helps you change your account password directly from the Passwords app. This is especially useful if the app detects that the password for one of your accounts has been compromised. You can click on the account, select “Change Password…” and open the browser in the app, which will direct you to the account website where you can change your password.
As convenient as this feature was, it carried a significant security risk. As security researchers at Mysk discovered, whenever you click “Change Password…” on your account, Passwords connects to the site over unencrypted HTTP and then redirects to encrypted HTTPS. This encryption secures the connection between your device and the website you are visiting . Without it, an entity with privileged network access could take control of the connection and redirect the link.
Let’s say the Passwords app warns you that your Yelp password has been compromised and you need to change it. No problem: you click on your Yelp account in the app, then select “Change Password…”. However, the attacker monitors your activity and before the real Yelp website can load, it redirects you to the fake Yelp site. This is where the scam page entices you to share your sensitive information, and since you think you’re visiting the real Yelp site, you probably are. And that’s how you were phished.
As Misk told 9to5Mac , “We were surprised that Apple doesn’t enforce HTTPS by default for such a sensitive app… Additionally, Apple should give security-conscious users the option to disable icon loading entirely. I don’t feel comfortable having my password manager constantly check every website I maintain a password for, even though the challenges sent by the password don’t contain any identifier.”
However, this issue does not apply to the Passwords app. According to Myska, this flaw has existed since Apple introduced the ability to detect compromised passwords in iOS 14 back in 2020:
This tweet is currently unavailable. It may be downloading or has been deleted.
How to fix this “Passwords” security error
Apple quietly addressed this issue with the release of iOS 18.2 . This update was released in December 2024, so the changes are good if you’ve updated your iPhone since then.
However, if you haven’t done so, you need to update your iOS to the latest version as soon as possible. (In this article, that’s iOS 18.3.2 , which coincidentally contains another major security patch.) To update now, go to Settings > General > Software Update , then follow the onscreen instructions to download and install the update.