Apple Passwords App Vulnerability Exposed Users to Phishing for Three Months

Figure 1: Visual representation of the BeyondTrust vulnerability chain

Apple addressed a security vulnerability in its Passwords app that left users exposed to potential phishing attacks for approximately three months. Security researchers at Mysk discovered that the Passwords app, introduced with iOS 18 in September 2024, was sending unencrypted HTTP requests when fetching website icons and logos. Attackers positioned on the same Wi-Fi network could intercept these requests and redirect users to malicious phishing sites designed to steal credentials.

The vulnerability affected users across multiple Apple platforms including iPhone, iPad, Mac, and Vision Pro. Apple confirmed the fix in iOS 18.2, released in December 2024, stating the issue was addressed by using HTTPS when sending information over the network. The security advisory assigned two CVE identifiers to the vulnerabilities: CVE-2024-44276 and CVE-2024-54492.

Mysk reported the vulnerability to Apple in September 2024, shortly after iOS 18 launched. The three-month window between discovery and patch deployment represents a period during which users accessing their password manager on public or shared Wi-Fi networks faced elevated risk. The vulnerability did not compromise stored passwords directly but created an attack vector for credential theft through social engineering.

Apple released iOS 18 on September 16, 2024, introducing a standalone Passwords app that consolidated password management features previously scattered across Settings and Safari. Security researchers Talal Haj Bakry and Tommy Mysk of Mysk Inc. began analyzing the new app shortly after release.

During their analysis, the researchers discovered that the Passwords app was making unencrypted HTTP requests to fetch website icons and logos displayed alongside saved credentials. When a user opened the Passwords app, it would request favicon images from websites to provide visual identification for each saved login.

Mysk reported the vulnerability to Apple in September 2024. According to The Verge, Apple did not immediately acknowledge the severity of the issue. The company released iOS 18.2 in December 2024, which included the fix for the HTTP vulnerability.

Apple's security advisory for iOS 18.2, published on December 11, 2024, documented two related vulnerabilities in the Passwords component. CVE-2024-44276 addressed the information leakage risk, while CVE-2024-54492 addressed the network traffic alteration risk. Both entries credited Talal Haj Bakry and Tommy Mysk of Mysk Inc. for the discovery.

The Verge published details of the vulnerability on March 18, 2025, following Mysk's public disclosure of their research findings.

Figure 2: How the authentication bypass vulnerability works

Apple's security advisory confirmed the technical nature of the vulnerability. For CVE-2024-44276, Apple stated: "A user in a privileged network position may be able to leak sensitive information." For CVE-2024-54492, the advisory noted: "An attacker in a privileged network position may be able to alter network traffic."

Both vulnerabilities shared the same remediation approach. Apple stated: "This issue was addressed by using HTTPS when sending information over the network."

Mysk's research demonstrated that the unencrypted requests created two distinct attack scenarios. First, an attacker could passively monitor which websites a user had saved passwords for by observing the HTTP requests for icons. Second, an attacker could actively intercept requests and serve malicious responses that redirected users to phishing pages.

The vulnerability required the attacker to be on the same network as the victim. Public Wi-Fi networks at coffee shops, airports, hotels, and similar locations presented the highest risk environment. Corporate networks with proper segmentation would have offered some protection.

The discovery and subsequent fix improved the security posture of Apple's password management infrastructure. Users running iOS 18.2 or later benefit from encrypted communications for all Passwords app network requests.

The incident demonstrated the value of independent security research. Mysk's proactive analysis of new Apple features identified a vulnerability that could have remained undetected for longer periods.

Apple's response, while taking three months, ultimately addressed the root cause rather than implementing a partial workaround. The HTTPS enforcement applies to all icon fetching operations, eliminating the entire class of vulnerability.

The public disclosure provides educational value for developers building similar features. The case illustrates why HTTPS should be the default for all network communications, even for seemingly innocuous operations like fetching display images.

Figure 3: Privilege escalation from user to SYSTEM level

The three-month exposure window represents a significant period during which users faced elevated risk. Users who frequently accessed their Passwords app on public Wi-Fi networks during this period may have been vulnerable to targeted attacks.

Apple did not issue a public advisory or warning during the vulnerability window. Users had no way to know they should avoid using the Passwords app on untrusted networks until the fix was available.

The vulnerability affected multiple platforms simultaneously. iPhone, iPad, Mac, and Vision Pro users all ran vulnerable versions of the Passwords app during the exposure period.

Detection of exploitation would be difficult for affected users. Unlike malware that leaves traces on a device, network-based phishing attacks occur externally and may not generate any local indicators of compromise.

The incident raises questions about Apple's security review process for new features. A standalone password manager represents a high-value target, and the use of unencrypted HTTP for any network operation in such an app represents a fundamental security oversight.

Password managers typically display website icons alongside saved credentials to help users quickly identify accounts. These icons, often called favicons, are small images that websites provide for browser tabs and bookmarks.

When the Passwords app needed to display an icon for a saved credential, it would send a network request to fetch the image from the associated website. The vulnerability arose because these requests used HTTP rather than HTTPS.

HTTP traffic travels across networks without encryption. Any device on the same network segment can observe HTTP traffic using readily available network analysis tools. Attackers can also perform man-in-the-middle attacks, intercepting HTTP requests and substituting their own responses.

In the attack scenario identified by Mysk, an attacker would monitor for HTTP requests from the Passwords app. Upon detecting such a request, the attacker could respond with a redirect to a phishing page designed to mimic the legitimate website's login interface.

The fix implemented in iOS 18.2 enforces HTTPS for all icon fetching operations. HTTPS encrypts traffic between the device and the destination server, preventing both passive observation and active interception by network-level attackers.

Technical context (optional): The attack requires ARP spoofing or similar techniques to position the attacker's device as a man-in-the-middle on the network. Tools like Bettercap or mitmproxy can automate this process on networks without proper client isolation.

The vulnerability highlights ongoing challenges in securing password management systems. As users increasingly rely on password managers to handle hundreds of credentials, any weakness in these systems carries amplified consequences.

The incident demonstrates that even companies with substantial security resources can ship products with fundamental security oversights. Apple's reputation for privacy and security makes this vulnerability particularly notable.

The three-month remediation timeline raises questions about responsible disclosure practices and vendor response expectations. Security researchers must balance the public interest in disclosure against the risk of enabling attacks before fixes are available.

The case may influence how security researchers approach analysis of new features from major vendors. High-profile applications handling sensitive data warrant immediate scrutiny upon release.

For enterprise security teams, the incident reinforces the importance of network segmentation and monitoring. Organizations cannot assume that applications from reputable vendors are free from vulnerabilities.

Confirmed:

• The Passwords app sent unencrypted HTTP requests for website icons
• The vulnerability existed from iOS 18 release (September 2024) through iOS 18.2 (December 2024)
• Apple assigned CVE-2024-44276 and CVE-2024-54492 to the vulnerabilities
• The fix involved enforcing HTTPS for network communications
• Mysk reported the vulnerability to Apple in September 2024
• The vulnerability affected iPhone, iPad, Mac, and Vision Pro

Unclear:

• Whether any users were actually targeted using this vulnerability
• Why Apple's security review did not catch the HTTP usage before release
• Whether similar issues exist in other Apple applications
• The exact number of users who may have been exposed while using public Wi-Fi

Apple's security advisories for future iOS releases may reveal additional Passwords app fixes, indicating ongoing security hardening of the feature.

Security researchers may publish additional analysis of the Passwords app architecture, potentially identifying other areas requiring attention.

Enterprise mobility management vendors may update their guidance regarding Apple device usage on untrusted networks.

The incident may prompt renewed discussion about password manager security standards and third-party security audits for credential management applications.

Users should verify they are running iOS 18.2 or later to ensure they have the fix applied. Those who used the Passwords app extensively on public Wi-Fi between September and December 2024 may wish to review their accounts for any suspicious activity.