Ricky Mondello

I’m seeing some people misunderstand something that I think is important.

The bug in the Passwords app that led to sometimes fetching service icons over an insecure connection, which has since been fixed, could never have led to and never did lead to the phishing of password credentials due to an architecture that separates concerns.

Even when it didn’t mandate secure connections, which has been rectified, all fetches were made in a stateless fashion, with absolutely no attempt to fill or provide credentials. (You may be interested in knowing that all fetches of icons in the Passwords app are made over the privacy proxy infrastructure that powers iCloud Private Relay, even if you’re not a Private Relay user).

This was an unfortunate bug that could potentially lead to a threat actor splicing in web content fetched by the device, including icons, but phishing of passwords simply was not possible. In fact, user credentials are **never** released to apps or websites without an explicit user action.

Mar 19 at 8:03pmWeb
Show threadWesley HilliardMar 19

@rmondello Even if it were possible, the number of things that would need to align to enable a bad actor to try to intercept traffic is incredible. Like, how many people were trying to change a password via the Passwords app on public Wi-Fi where a bad actor that knew of the exploit was actively trying to exploit it?

Glad to hear it wasn't possible in the first place, but still highly unlikely attack vector either way.

Show threadRicky MondelloMar 19
@HilliTech On top of that, Passwords uses Safari to load websites. Safari won’t allow you to AutoFill on insecure pages through the usual paths and gives you big red warnings about it. Defense in depth.
Show threadJoonas KuorilehtoMar 20
@rmondello @HilliTech This one is a great idea until the 50th time logging in to the same low value IoT thing on my LAN that doesn’t do https. I think I should set up one more rewrite to have a https url for it.
Show threadFrederik Braun �Mar 19
@rmondello The demo I saw was about following the link from the "change password" button. It would open a webview that did http by default. this is confusing. The video from the reporters did not mention anything about icons. Can you explain?
Show threadRicky MondelloMar 19

@freddy Part of what’s confusing people here, including reporting, is that there were two entirely different bugs.

One was about loading icons without mandating transport security, and the other was about the Passwords app opening a website’s home page, rather than the Well-Known URL for Changing Passwords (always https, falling back to the https home page). The icons issue was present for some time and affected all platforms. The “Change Password” bug only appeared in the Passwords app for iOS, and was quickly fixed.

Some of the discussions I’ve seen around both of these promptly fixed bugs are mixing up details.

Show threadJohn BraytonMar 19
@rmondello To clarify, was the bug that (on iOS) Passwords would tell Safari to open the default page of the website via HTTP instead of the Change Password URL via HTTPS?
Show threadRicky MondelloMar 19
@johnbrayton Yes, that was one of the bugs, described extremely well.
Show threadJohn BraytonMar 19
@rmondello Thanks!
Show threadSindarina, Edge Case DetectiveApr 6
@rmondello @freddy Maybe, if even Apple cannot remember to turn on ATS consistently, it's time to finally make it mandatory, after a decade? 😜
Show threadTorsteinMar 19
@rmondello Mic drop!! 💪
Show threadJon_AlperMar 19
@rmondello Thank you. It’s a bad bug but what you clarified is important and appreciated.
Show threadMichael CookMar 19
@rmondello oh they went over private cloud? Smart.
Show threadbaiboldMar 20

@rmondello If there is one thing I know for certain, it's that relying on user action to prevent phishing is completely unreliable.

People are heavily conditioned to click a button to make the popup go away, and have been since the 90s. Most of the time without even reading.

Show threadSeanMar 20
@baibold then those people need to stop using computers and smartphones 🤣🤣
Show threadbaiboldMar 20
@Strwpok lol but then tech would collapse as only like maybe 20% of the users would remain.
Show threadDavid CohenMar 20
@rmondello @flargh Don’t spoil the headlines with your factual truths, Ricky!!