The technology industry has long promoted passkeys as a safer, phishing-resistant alternative to passwords. Major firms such as Microsoft, Google, Amazon, and Meta are encouraging users to abandon traditional login methods in favor of this approach, which ties account security directly to a device. In theory, passkeys make it almost impossible for attackers to gain access without physically having an unlocked device. However, new research suggests that this system may not be as unbreakable as promised.
Cybersecurity firm SquareX has demonstrated that browser-based attacks can undermine the integrity of passkeys. According to the research team, malicious extensions or injected scripts are capable of manipulating the passkey setup and login process. By hijacking this step, attackers can trick users into registering credentials controlled by the attacker, undermining the entire security model. SquareX argues that this development challenges the belief that passkeys cannot be stolen, calling the finding an important “wake-up call” for the security community.
The proof-of-concept exploit works by taking advantage of the fact that browsers act as the intermediary during passkey creation and authentication. Both the user’s device and the online service must rely on the browser to transmit authentication requests accurately. If the browser environment is compromised, attackers can intercept WebAuthn calls and replace them with their own code. SquareX researchers demonstrated how a seemingly harmless extension could activate duri
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: