Apple has revealed a Passwords app vulnerability that lasted for months

Apple has revealed a Passwords app vulnerability that lasted for months(theverge.com)

35 points by quyleanh 1 year ago | 6 comments

hypothesis 1 year ago |

Another sus thing about this Password app is what “App Privacy Report” shows.

Sometimes it would increment counters for visited sites without you using the app, which likely means that sites are able to track you if you have an entry in Passwords.

Alternatively, some sites do not show up in logs even though icon shows up for a site/password entry.

hulitu 1 year ago |

> Apple has revealed a Passwords app vulnerability that lasted for months

And what is the news here ? Apple fixes vulnerabilities only after they are discovered by others.

ycombinatrix 1 year ago |

1password proxies the favicon requests I think

radicality 1 year ago |

Was that that big of a problem? I actually did notice that when occasionally LittleSnitch would alert me that Passwords wants to connect over port 80. It definitely made me look and I found it a little bit odd to not use https, but didn't think too much of it as it always looked like it was only to fetch a favicon.

greyadept 1 year ago | |

Yes, it is pretty serious. The video demo shows that HTTP calls for password reset links can be redirected to a malicious website: https://youtu.be/VUSB3FK1dKA?feature=shared

radicality 1 year ago | | |

Ah I see, yeah makes sense. I wasn’t aware that this is a feature in Passwords, (and even if I did I probably still would rather go manually to the website).

Since it pops up a web view which I presume is webkit/safari, I wonder if the Safari setting “Not Secure Connection Warning” (which you should set to on), is correctly applied to the view. Obviously it’s a bug they used http in first place, but this would have helped.