Apple has revealed a Passwords app vulnerability that lasted for months (opens in new tab)

(theverge.com)

35 pointsquyleanh1y ago6 comments

6 comments

Another sus thing about this Password app is what “App Privacy Report” shows.

Sometimes it would increment counters for visited sites without you using the app, which likely means that sites are able to track you if you have an entry in Passwords.

Alternatively, some sites do not show up in logs even though icon shows up for a site/password entry.

hulitu1y ago

> Apple has revealed a Passwords app vulnerability that lasted for months

And what is the news here ? Apple fixes vulnerabilities only after they are discovered by others.

ycombinatrix1y ago

1password proxies the favicon requests I think

radicality1y ago

Was that that big of a problem? I actually did notice that when occasionally LittleSnitch would alert me that Passwords wants to connect over port 80. It definitely made me look and I found it a little bit odd to not use https, but didn't think too much of it as it always looked like it was only to fetch a favicon.

greyadept1y ago

Yes, it is pretty serious. The video demo shows that HTTP calls for password reset links can be redirected to a malicious website: https://youtu.be/VUSB3FK1dKA?feature=shared

radicality1y ago

Ah I see, yeah makes sense. I wasn’t aware that this is a feature in Passwords, (and even if I did I probably still would rather go manually to the website).

Since it pops up a web view which I presume is webkit/safari, I wonder if the Safari setting “Not Secure Connection Warning” (which you should set to on), is correctly applied to the view. Obviously it’s a bug they used http in first place, but this would have helped.

j / k navigate · click thread line to collapse

6 comments

hypothesis1y ago

Another sus thing about this Password app is what “App Privacy Report” shows.

Sometimes it would increment counters for visited sites without you using the app, which likely means that sites are able to track you if you have an entry in Passwords.

Alternatively, some sites do not show up in logs even though icon shows up for a site/password entry.

hulitu1y ago

> Apple has revealed a Passwords app vulnerability that lasted for months

And what is the news here ? Apple fixes vulnerabilities only after they are discovered by others.

ycombinatrix1y ago

1password proxies the favicon requests I think

radicality1y ago

greyadept1y ago

Yes, it is pretty serious. The video demo shows that HTTP calls for password reset links can be redirected to a malicious website: https://youtu.be/VUSB3FK1dKA?feature=shared

radicality1y ago

Ah I see, yeah makes sense. I wasn’t aware that this is a feature in Passwords, (and even if I did I probably still would rather go manually to the website).

j / k navigate · click thread line to collapse