What the ”Passkeys Pwned” talk is and isn’t about, and what it reveals about the importance of correct implementation of the standard
The Passkeys Pwned Talk Summary
As outlined in the DEF CON abstract below, the Passkeys Pwned attack highlights a passkey implementation flaw, specifically that of WebAuthn in the registration and authentication process. The Passkey Pwned attack is not actually a cryptographic flaw, nor is it a criticism of the FIDO Alliance. This information was detailed in both the DEF CON presentation and technical blog.
DEF CON 33 Passkeys Pwned Talk Abstract
“This presentation demonstrates how attackers can proxy WebAuthn API calls to forge passkey registration and authentication responses. We’ll showcase this using a browser extension as an example, but the same technique applies to any website vulnerable to client-side script injection, such as XSS or misconfigured widgets”
The Passkeys Pwned attack highlights that regular web threats — such as CDN attacks, XSS and browser extensions — can lead to unauthorized access via passkeys without requiring any endpoint, OS or browser compromise. In today’s world, every website loads resources from third-party CDNs, leading to a major supply chain risk.
This is reminiscent of the Ledger Connect Kit CDN and NPM vulnerability in December 2023, where malicious code was injected into decentralized apps, allowing attackers to drain crypto wallets without needing to compromise the user’s device. Just this week, another malware injection attack on NPM packages impacted over 2.6 billion downloads, highlighting the inevitability of supply chain attacks on the web.
The demo videos below show how the Passkey
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: