Shortly after rolling out iOS 18, Apple is addressing an important security flaw in the OS’s all-new Passwords app.
iOS 18 rolled out mid-September, packing dozens of new features and upgrades, including a new addition to the OS’s range of stock apps. Passwords, as the app is called, is designed to securely store and access your passwords, passkeys, Wi-Fi passwords, and other credentials, all in one place.
It’s a welcome improvement from Apple’s previous credential management solution, which involved slaloming through the Settings panel’s crude interface. However, as nice an upgrade this is, it rolled out a bit flawed.
Security researcher Bistrit Dahal found that “A user's saved passwords may be read aloud by VoiceOver,” according to Apple’s first security advisory for iOS 18.
While the flaw hasn’t yet been exploited by threat actors – at least not to Apple’s knowledge – it’s apparently serious enough to warrant an emergency patch.
Apple’s VoiceOver accessibility feature is designed to read on-screen content out loud – i.e. to help the visually impaired. However, in the context of Apple’s new Passwords app, it can also divulge access information stored on the user’s device. In theory, anyone within hearing range could learn the user’s access credentials and then take over their accounts on a different device.
It’s easier said than done, though, considering that most websites today enforce multi-factor authentication to keep attackers at bay. But not all websites enforce it, and not everyone has multi-factor authentication enabled for all their accounts.
iOS 18.0.1 addresses the vulnerability with an improved logic in VoiceOver scenarios. The flaw is present on all iPhone models from XS onwards, as well as most iPads in circulation today.
But this is not the only issue Apple is addressing with this urgent software patch.
Two other security researchers – one identified by Apple as Michael Jimenez and a second anonymous one – have found that “Audio messages in Messages may be able to capture a few seconds of audio before the microphone indicator is activated.”
While it’s not as serious as the Passwords bug, this issue may end up divulging information that the user wasn’t aware was being recorded. Also, this flaw only affects the all-new iPhone 16 (all models), according to the advisory.
It’s strongly recommended that you deploy iOS 18.0.1 and iPadOS 18.0.1 on your Apple devices as soon as you get a chance.
Bitdefender recommends you always install the latest software for all your gizmos, as most updates come with important security fixes – iOS 18.0.1 marking a clear example.
For peace of mind, consider running a dedicated security solution on all your personal devices.
tags
Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.
View all postsSeptember 06, 2024
September 02, 2024