Another sus thing about this Password app is what “App Privacy Report” shows.
Sometimes it would increment counters for visited sites without you using the app, which likely means that sites are able to track you if you have an entry in Passwords.
Alternatively, some sites do not show up in logs even though icon shows up for a site/password entry.
Was that that big of a problem? I actually did notice that when occasionally LittleSnitch would alert me that Passwords wants to connect over port 80. It definitely made me look and I found it a little bit odd to not use https, but didn't think too much of it as it always looked like it was only to fetch a favicon.
Yes, it is pretty serious. The video demo shows that HTTP calls for password reset links can be redirected to a malicious website: https://youtu.be/VUSB3FK1dKA?feature=shared
Ah I see, yeah makes sense. I wasn’t aware that this is a feature in Passwords, (and even if I did I probably still would rather go manually to the website).
Since it pops up a web view which I presume is webkit/safari, I wonder if the Safari setting “Not Secure Connection Warning” (which you should set to on), is correctly applied to the view. Obviously it’s a bug they used http in first place, but this would have helped.
Sometimes it would increment counters for visited sites without you using the app, which likely means that sites are able to track you if you have an entry in Passwords.
Alternatively, some sites do not show up in logs even though icon shows up for a site/password entry.