iOS 27 gives Siri write access to your passwords - should it?

A few days ago at WWDC, Apple announced iOS 27 - with the biggest feature being a revamped Siri, called Siri AI. After looking at some of Siri AI’s new features, I noticed it can now make changes inside the Passwords app. Specifically, it can now act on a weak or compromised credential by walking through a password rotation on the site for you, end to end. Agentic magic.

At face value, the convenience is obvious: most people never rotate a leaked password because the flow is tedious and people can be naturally lazy. As incriminating as it is to admit, I am also one of those people (for my least important credentials). Apple likely believes that adding the ability to pass this off to an agent could measurably shrink the window between “compromise detected” and “credential rotated,” and they’re probably right.

But it also moves the trust boundary. Until now, the only thing (hopefully) that could read and write every credential you own was you, gated behind some form of biometric unlock (i.e. Face ID / Touch ID). An agent that can navigate to a site, authenticate as you, and submit a new password is a new high-value capability, but the interesting question isn’t “is the model good,” it’s “what exactly can trigger it” and “what can / can’t it be talked into doing.” Prompt injection is a thing - a malicious login page or a spoofed “your password was compromised” prompt are the first things that come to mind. We already see the effects of prompt injection on LinkedIn with recruiter bots, which is the same exposure a password agent can have the second it reads a malicious login page. Apple appears to show this capability as navigating to a website you have previously attributed to the credential, but what if that page ends up compromised?

And I’m not alone in this thinking. At first, I actually was fooled by the “magic” of it all. But after speaking to a few college friends who also work in the industry, their immediate reaction was a mix of “I don’t like that” and “sus.” However, their initial thoughts were more based on whether this functionality was running locally on-device or passed off via Apple’s Private Cloud Compute. Another valid concern.

I’ll be keeping an eye on this as the iOS 27 beta cycle unfolds to see if Apple posts anything more about this feature, specifically from a security standpoint. Who knows, maybe Apple has this all figured out already with their army of engineers and everything will work perfectly with privacy in mind. Regardless, the world is fast implementing AI - and the risks associated with that are only just beginning.

ZB