I think it’s MITM since they weren’t enforcing TLS to begin with 

WeAreAllSatoshi

Notably this is not the first time Apple has issues with checking identities on TLS initial connection. There was a famous bug years ago called "Goto Fail" where MacOS would just accept any signature/identity in certain cases.

Sometimes you just want to shake Apple management and scream: implement. basic. unit. tests. for. security. stuff. aaaaa.

![](https://media4.giphy.com/media/v1.Y2lkPTc5MGI3NjExbHhqaGFkaTZ2emx6ZzU2ZTkyNjdua2lwOXd5aG9tbGdvYTdpOWJxYyZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/l2JegJo8JmpRf9cas/giphy.gif)

zuspotirko

security

Apple's Password app was vulnerable to phishing attacks for 3 months post launch

k00b

> This left the user vulnerable: an attacker with privileged network access could intercept the HTTP request and redirect the user to a phishing website

That's not a phishing attack. That sounds like a profound security hole in the TLS implementation. 