SquareX researchers demonstrated during DEF CON an attack technique that could allow attackers to bypass passkey-based login security using process manipulation, SecurityWeek reports.
The method allows a threat actor to impersonate a user and access accounts protected by passkeys, even without access to the actual device and even with the use of Face ID. It targets passkey authentication via WebAuthn, the standard used by websites for passkey login. An attacker can trick a user into installing a malicious browser extension or exploit client-side vulnerabilities on websites, such as XSS, to hijack WebAuthn API. This allows them to either force a downgrade to password login or manipulate passkey registration reinitiation to steal credentials. For victims, it is enough to visit the website where they log in using passkeys with the malicious extension installed, or simply visit the website directly if it contains a client-side injection vulnerability (e.g., via XSS). No additional user interaction is required beyond normal registration and authentication, said Shourya Pratap Singh, principal software engineer at SquareX.
The method allows a threat actor to impersonate a user and access accounts protected by passkeys, even without access to the actual device and even with the use of Face ID. It targets passkey authentication via WebAuthn, the standard used by websites for passkey login. An attacker can trick a user into installing a malicious browser extension or exploit client-side vulnerabilities on websites, such as XSS, to hijack WebAuthn API. This allows them to either force a downgrade to password login or manipulate passkey registration reinitiation to steal credentials. For victims, it is enough to visit the website where they log in using passkeys with the malicious extension installed, or simply visit the website directly if it contains a client-side injection vulnerability (e.g., via XSS). No additional user interaction is required beyond normal registration and authentication, said Shourya Pratap Singh, principal software engineer at SquareX.
