Yes, Your Passkeys Can Be Hacked—New Attack ‘Breaks The Myth’
A new security nightmare has emerged, leaving users feeling vulnerable despite the rise of passkey technology as a safer alternative to traditional passwords. While Microsoft, Google, Facebook, Amazon, and others have been touting the benefits of passkeys, a recent study by SquareX reveals that these digital keys can be hacked using a simple yet effective attack.
Passkeys are designed to provide an additional layer of security, linking account security directly to device security. This means that without physical access to your unlocked hardware, an attacker cannot break into your passkey system. However, researchers at SquareX have discovered a weakness in this system – the browser.
A Vulnerability in the Browser
The team at SquareX warns that malicious extensions or scripts can fake passkey registration and logins, effectively breaking the myth that passkeys cannot be stolen. This new attack exploits the passkey setup process, which assumes that your browser is a secure environment.
According to Vivek Ramachandran of SquareX, "the browser is the primary interface for users to register and authenticate passkeys, and it's relied on by both sides – the user and the service provider – to communicate honestly. If the browser can't be trusted, then the device passkey setup and the services can be duped."
The attack works by intercepting and manipulating communication within the browser, replacing WebAuthn calls with their own code via a malicious browser extension. This allows an attacker to redirect the communication to their server and steal sensitive information.
The Wild West of Browser Extensions
While the focus has been on patching vulnerabilities in browser software, researchers caution that extensions pose a significant security risk. With 99% of users relying on over-the-top software add-ons, security is compromised immediately.
Malicious extensions have already been identified as a threat, and legitimate ones can be hijacked once installed on-device. The advice from SquareX is to approach extensions with the same wariness that you would extend to apps on your device.
A Wake-Up Call for Passkey Users
The discovery by SquareX serves as a wake-up call for passkey users, highlighting the importance of maintaining strong browser security. With over 15 billion passkeys in use and growing rapidly, the risk of identity attacks cannot be ignored.
According to Ramachandran, "passkey stealing is not only possible but also as trivial as traditional credential stealing." To protect yourself, check your browser for installed extensions and delete any that you don't use or that don't come from official stores and recognized developers.
A Call to Action
As passkeys become increasingly prevalent in enterprise security, it is essential to address the vulnerabilities that exist within our digital infrastructure. SquareX's research serves as a reminder that no system is completely secure, but with awareness and proactive measures, we can mitigate these risks.
Stay vigilant and stay safe by keeping your browser extensions up-to-date and under control.