Apple has resolved a security gap with the iOS 18.2 published in December. The security researcher Tommy Mysk has now published details. Accordingly, it was at least theoretically possible for several months Certain types of phhing attacks to drive to users in the same network. The reason: Apple simply does not encrypted different queries of the password application. The data traffic could therefore be included, for example if you were in a WLAN or Ethernet network with the victim.
Unencrypted forwarding to password reset website
It is unclear why it took so long for Apple to bring a patch – iOS 18 was already published in September. According to Apple, the simple description of the problem: “A user in a privileged network position can leak sensitive information.” The problem has been resolved in which data traffic is now encrypted with HTTPS. In addition to iOS, iPados until 18.2.
The error was discovered after the so-called App Privacy Report of a device from MYSK showed the contact of 130 different websites via an unsafe HTTP connection. As shown, account logos and/or icons were requested. In addition, the default setting was that well-known password reset forms were initially called up by the app. Like Mysk opposite that Apple-Blog 9to5mac said this made it possible to intercept such a call including the diversion to a phishing website.
Icon query not preventing
It is unclear whether such attacks actually occurred. Apple does not give the group's reports. “We were surprised that Apple HTTPs did not force them default in such a sensitive app,” writes Mysk. In addition, there is another problem: the app does not make it possible to prevent the query from icons.
“I don't feel comfortable that my password manager constantly pangs any website for which I manage a password-even if the calls that send the password app do not contain any ID.” However, it is conceivable that Apple will do this via a proxy. However, this simply cannot be unencrypted. MYSK demonstrated the attack he discovered on a website, among other things, the Live.com from Microsoft and then passwords.
Discover more from Apple News
Subscribe to get the latest posts sent to your email.