CyberInsider

Reliable cybersecurity news and resources

General

Guides

About

Cyber Insider covers the latest news in the cybersecurity and data privacy world. In addition to news, we also publish in-depth guides and resources.
See our Mission >

Apple Fixes Encryption Flaw in Passwords App with iOS 18.2 Update

By Leave a Comment

Apple has addressed an important security vulnerability in its Passwords app with the release of iOS 18.2, following a report from security researchers Talal Haj Bakry and Tommy Mysk of Mysk Inc. The flaw, tracked as CVE-2024-54492, involved the app using unencrypted HTTP connections to download website icons, exposing users to risks such as man-in-the-middle (MITM) attacks.

Since the launch of iOS 18, the Passwords app has relied on insecure HTTP to fetch icons for saved password entries. This oversight meant that anyone in a privileged network position, such as attackers on public Wi-Fi or compromised routers, could intercept or manipulate the traffic. Such interference could allow bad actors to spoof icons, redirect users to malicious sites, or exploit the lack of encryption to collect sensitive metadata.

Mysk reported this issue to Apple in September 2024, and the fix was implemented with iOS 18.2, released on December 11, 2024. Security firm Tenable classified the vulnerability as high-severity, emphasizing the importance of updating to avoid exploitation.

https://twitter.com/mysk_co/status/1866970731478913277

The flaw posed significant risks to the privacy and security of users. Passwords stored in the app are meant to provide a secure repository, but the insecure HTTP connections undermined that premise. While no known active exploits were reported, the vulnerability’s potential to expose sensitive information made it a critical priority for remediation.

iOS 18.2: key fixes

Apple’s iOS 18.2 update also addressed several other notable vulnerabilities across different components:

  • AppleMobileFileIntegrity (CVE-2024-54526, CVE-2024-54527): These flaws could allow malicious apps to access private or sensitive user data, potentially bypassing sandbox restrictions.
  • Kernel (CVE-2024-54494): Fixed a race condition that could enable attackers to write to what should be read-only memory.
  • WebKit (CVE-2024-54505): Resolved a type confusion issue that could lead to memory corruption when processing maliciously crafted web content.
  • Safari (CVE-2024-44246): Addressed a privacy issue where adding a website to Safari’s Reading List could inadvertently reveal the originating IP address to websites, even with Private Relay enabled.

Apple has urged all users to update their devices to iOS 18.2 and iPadOS 18.2 immediately. The update is available for all devices from iPhone XS and later, as well as compatible iPads.

About Bill Mann

Bill specializes in explaining complex technical topics to a non-technical audience. In his 30+ year career, he has covered many of the technological advances that shape our lives. Today, Bill uses those skills to help people protect their privacy and security against the ever-growing assaults on both.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *