[radicality]

Was that that big of a problem? I actually did notice that when occasionally LittleSnitch would alert me that Passwords wants to connect over port 80. It definitely made me look and I found it a little bit odd to not use https, but didn't think too much of it as it always looked like it was only to fetch a favicon.

[greyadept]

Yes, it is pretty serious. The video demo shows that HTTP calls for password reset links can be redirected to a malicious website: https://youtu.be/VUSB3FK1dKA?feature=shared

[radicality]

Ah I see, yeah makes sense. I wasn’t aware that this is a feature in Passwords, (and even if I did I probably still would rather go manually to the website).

Since it pops up a web view which I presume is webkit/safari, I wonder if the Safari setting “Not Secure Connection Warning” (which you should set to on), is correctly applied to the view. Obviously it’s a bug they used http in first place, but this would have helped.