Yes, it is pretty serious. The video demo shows that HTTP calls for password reset links can be redirected to a malicious website: https://youtu.be/VUSB3FK1dKA?feature=shared
Ah I see, yeah makes sense. I wasn’t aware that this is a feature in Passwords, (and even if I did I probably still would rather go manually to the website).
Since it pops up a web view which I presume is webkit/safari, I wonder if the Safari setting “Not Secure Connection Warning” (which you should set to on), is correctly applied to the view. Obviously it’s a bug they used http in first place, but this would have helped.
Since it pops up a web view which I presume is webkit/safari, I wonder if the Safari setting “Not Secure Connection Warning” (which you should set to on), is correctly applied to the view. Obviously it’s a bug they used http in first place, but this would have helped.