How did my friends iOS Keychain Passwords show up on another friends iPhone? - eviltoast

This is going to sound wild.

My friend Edwin was ordering products off of the Ghost Energy app and when he went to proceed with logging into PayPal to pay, the iOS Keychain suggestion popped up from the bottom of the screen with Alex’s personal email listed as an autofilled email. He was able to click on it to continue and it auto filled Alex’s PayPal information. He immediately backed out and went to checked the Passwords section of the Settings app, he was able to see all of his own saved passwords AND Alex’s as well which added over 150+ additional passwords/logins. How on earth can this happen? This is what we know and have confirmed:

  • They are not sharing location, in a family sharing group, or sharing any passwords between them.

  • They have not ever logged into anything on one another’s phones.

  • They have never sent any links to one another from the Ghost Energy app.

  • Alex has never sent Edwin his personal email ever.

  • They have never sent or received files/media through the close proximity file transfer feature from iPhone to iPhone.

Any insight would be greatly appreciated. I am a long time Mac/iPhone user and have never seen anything like it.

Update: Forgot to add we have a screen recording of Edwin recreating the whole situation but we are not quite nerdy enough to blur out all the personal information shown.

  • SLJ7@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Have both of them add a new password to their saved passwords and find out if it shows up on the other’s phone. If it does, that’s a big problem but at least it can be traced. If not, it means that some saved passwords migrated to Edwin’s phone for some reason, but it’s not being actively synced.

    Someone had to have signed into iCloud and then keychain on the wrong account. That’s been end-to-end encrypted since day 1. I just can’t see a way this would have happened otherwise. You can’t airdrop an entire keychain and I think family sharing of passwords is recent, plus you said they’re not in family sharing. And this has nothing at all to do with the Ghost Energy app either.

    Keep us posted.