Researchers at SquareX have demonstrated that passkeys, though designed to be secure, can be bypassed through browser-based attacks involving JavaScript injection and malicious extensions. The attack exploits vulnerabilities in the WebAuthn standard by impersonating users and hijacking authentication flows, highlighting potential risks even in biometric scenarios. #WebAuthn #PasskeyBypass
Keypoints
- Passkeys are intended to offer a more secure alternative to passwords and are recommended by major tech companies.
- Researchers revealed that passkeys could be bypassed through browser environment manipulation, not cryptography flaws.
- The attack involves convincing users to install malicious browser extensions or exploiting website XSS vulnerabilities.
- Hijacking and forging WebAuthn APIs allows attackers to impersonate users during registration and login.
- Once infected, victims can be forced to revert to password authentication, enabling credential theft.
Read More: https://www.securityweek.com/passkey-login-bypassed-via-webauthn-process-manipulation/