CVE-2024-9956 - PassKey Account Takeover in All Mobile Browsers
(mastersplinter.work)
from tedu@inks.tedunangst.com to inks@inks.tedunangst.com on 20 Mar 05:23
https://inks.tedunangst.com/l/5202
from tedu@inks.tedunangst.com to inks@inks.tedunangst.com on 20 Mar 05:23
https://inks.tedunangst.com/l/5202
An attacker within bluetooth range is able to trigger navigation to a FIDO:/ URI from an attacker controlled page on a mobile browser, allowing them to initiate a legitimate PassKeys authentication intent which will be received on the attacker’s device. This results in the attacker being able to “phish” PassKeys credentials, completely breaking this assumption that PassKeys are impossible to phish.
threaded - newest