A vulnerability in the new Passwords app, introduced with the iOS 18 update, has been discovered by security researchers at Mysk. As the researchers explained to our colleagues at 9to5Mac, the flaw makes iPhone users vulnerable to phishing attacks.
HTTP requests to a sensitive Apple application
First, experts realized that the Apple application was sending unsecured HTTP requests to obtain the logos and icons of 130 websites. These elements were used to illustrate the websites linked to your saved passwords. By default, password reset pages also use HTTP.
For no particular reason, Apple didn't want to force the use of HTTPS, which is more secure than HTTP, on the app. The HTTP protocol transmits data in clear text, without encryption, which opens the door to cyberattacks. In contrast, the HTTPS standard relies on encrypted data. using SSL/TLS protocols.
These unsecured requests can be intercepted by someone connected to the same Wi-Fi network as the target's iPhone. Ultimately, it can redirect the user to a phishing website. This malicious site could then request users' personal data, including usernames and passwords. The researchers use the example of a phishing page imitating the official Microsoft website, for example. Convinced that they are on the Microsoft website, the target could enter the credentials linked to their account in order to log in. The flaw opens the door to very effective attacks via public Wi-Fi networks, such as those in an airport, a cafe, a restaurant, or even a hotel.
Apple fixes the situation with iOS 18.2
Alerted by Mysk researchers, Apple has fixed the vulnerability. The Cupertino giant has included a fix in the iOS 18.2 update. On its website, Apple admits that a "user in a privileged network position may be able to disclose sensitive information" by exploiting the flaw. The group also mentions a second flaw, linked to the first, which would allow "an attacker in a privileged network position" to "modify network traffic".
The flaw remained open for three months, between the deployment of iOS 18 and the arrival of iOS 18.2. Apple adds that this "issue was addressed by using HTTPS when sending network information". By avoiding unsecured HTTP requests, Apple prevents a potential attacker from intercepting communications. Note that Apple patched the flaw with iOS 18.2, which was released last January, but has just communicated about it.
Source: 9to5Mac
0 Comments