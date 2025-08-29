Identity
Malevolent extensions threaten passkeys, study shows
Enterprise software-as-a-service, banking, and e-commerce apps could be compromised through malicious browser extensions exploiting a critical vulnerability concerning passkeys' dependence on browser integrity, reports SiliconANGLE. Attackers could harness nefarious browser extensions to facilitate registration forgery, biometric evasion, and login disruptions without raising suspicion among targeted users due to the lack of visual changes to the passkey workflow, according to findings from browser security firm SquareX. Inadequate browser visibility provided by endpoint detection and response and secure access service edge systems also exacerbates the risk posed by illicit extensions and scripts. "Passkeys are a highly trusted form of authentication, so when users see a biometric prompt, they take that as a signal for security. What they don't know is that attackers can easily fake passkey registrations and authentication by intercepting the passkey workflow in the browser," said SquareX researcher Shourya Pratap Singh, who emphasized the potential use of passkeys to compromise any application.
