Overview

• The vulnerability, discovered by Mysk researchers in September 2024, stemmed from the app using unencrypted HTTP connections.
• Attackers on shared Wi-Fi networks could intercept HTTP requests and redirect users to phishing sites.
• Apple patched the flaw in December 2024 with iOS 18.2, which enforced HTTPS for all connections in the Passwords app.
• The issue affected multiple Apple devices, including iPhones, iPads, Macs, and Vision Pro headsets.
• Apple publicly disclosed the vulnerability only in March 2025, raising concerns about delayed transparency in security disclosures.