CRITICAL FLAW IN APPLE’S PASSWORD APP EXPOSING USERS TO PHISHING ATTACKS

Advisory ID:  ngCERT-2025-050003

SUMMARY

ngCERT has issued an urgent alert regarding a critical vulnerability (CVE-2024-44276, CVSS 9.1 – Critical) in Apple’s Password App for iOS 18, enabling attackers to hijack user sessions and steal sensitive credentials. The flaw originates from the app’s reliance on an insecure HTTP protocol for data transmission, allowing adversaries on shared networks (e.g., public Wi-Fi) to intercept unencrypted traffic and redirect users to malicious phishing sites. These fraudulent pages mimic legitimate services to harvest login credentials, financial data, and other personal information.

Probability:    High

Damage:        Critical

Platform(s):   iOS, iPadOS

DESCRIPTION

The vulnerability in Apple’s password manager App was identified as an insecure data transmission protocol weakness susceptible to compromise by threat actors. Particularly, the App used unencrypted HTTP connections, as opposed to a more secure HTTPS, to fetch logos and icons while opening password reset pages. Attackers with privileged access, mostly connected to the same network as the user (i.e. Starbucks, airport, or hotel Wi-Fi), could intercept the HTTP request and redirect the user to a phishing website. Thereafter, threat actors can easily gather login credentials from victims and utilize them for other malicious activities. Nonetheless, Apple addressed the problem in a security update in its iOS 18.2 version..

CONSEQUENCES

Exploitation of the flaw could lead to phishing attacks and theft of login credentials. This could further result in:

1. Malware infiltrations.
2. Financial losses through fraudulent transactions.
3. Identity theft occasioned by stolen sensitive data.
4. Emotional distress.
5. Disruption of critical services leading.

SOLUTION/MITIGATION

While Apple has addressed the vulnerability in recent updates, ngCERT strongly advises all iOS 18 users to:

1. Install the latest security patch immediately via Settings > General > Software Update.
2. Avoid using the Password App on public or untrusted networks until updates are confirmed.
3. Enable HTTPS-only mode in browser settings to block insecure connections.

 REFERENCES

• https://www.analyticsinsight.net/news/apples-ios-182-update-fixes-critical-security-flaw-in-passwords-app
• https://www.techrepublic.com/article/apple-password-app-exposed-2025/
• https://www.tenable.com/cve/CVE-2024-44276  
• https://www.theverge.com/news/632108/apple-ios-passwords-app-bug-vulnerability-phishing-attacks