Browser Vulnerability Poses Risk of Passkey Authentication Hijacking

ByAdmin

SquareX has revealed a critical vulnerability in passkey-based authentication that poses risks to banking, shopping, and enterprise SaaS accounts. Passkeys are designed as a more secure alternative to traditional passwords, utilising cryptographic key pairs where the private key remains on the user’s device and the public key is stored by the service provider. Authentication occurs locally through biometrics, a hardware key, or a PIN, with the public key on the server verifying the signature. This method aims to limit access to pre-registered devices and specific websites, thereby reducing the risks associated with password theft, reuse, or weakness. According to industry data from FIDO, over 15 billion accounts have enabled passkeys, with 69% of users activating them on at least one account. However, new research from SquareX indicates that an overlooked browser vulnerability may undermine the security promise of passkeys.

The research conducted by SquareX researchers Shourya Pratap Singh, Daniel Seetoh, and Jonathan Lin highlights that the security of passkey authentication relies on the assumption that the browser is “honest” and uncompromised. All communication between the authentication server and the user’s device occurs through the browser, making it a potential weak point. Attackers can exploit this vulnerability using simple scripts and malicious browser extensions to intercept and manipulate the passkey registration process. This could enable them to gain account access without requiring the user’s biometric data or physical device. Furthermore, attackers can disrupt registered passkey logins, prompting users to re-register their credentials in a controlled environment, effectively granting attackers access. SquareX researcher Shourya Pratap Singh warns that this risk is exacerbated by the limitations of conventional security solutions, as Endpoint Detection and Response (EDR) and Security Service Edge (SSE) technologies lack the necessary visibility within the browser to detect these exploits. Consequently, the entire attack process may appear identical to legitimate passkey authentication, leaving users unaware of the malicious activity. 

Categories: Vulnerability, Authentication, Security Risks 

Tags: Vulnerability, Passkey, Authentication, Browser, Security, Attackers, Biometric, Exploits, Mitigation, Monitoring 

Leave a Reply

Your email address will not be published. Required fields are marked *