Researchers Identify New Exploit Bypassing WebAuthn-Based Key Logins

Security firm SlowMist warns of an attack method using malicious extensions or XSS to hijack WebAuthn API, potentially compromising passwordless authentication systems.

205d ago

Summary

SlowMist security officer 23pds reported a new exploit that bypasses WebAuthn key logins by exploiting malicious browser extensions or XSS vulnerabilities. This attack downgrades authentication to password login and manipulates key registration, allowing attackers to steal credentials without access to the victim’s device or biometrics. The vulnerability poses significant risks for accounts on compromised websites.

Terms & Concepts

WebAuthn: A web standard for passwordless authentication using public key cryptography, often involving hardware security keys or biometric devices.
XSS (Cross-Site Scripting): A web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
Browser Extensions: Software modules that add or modify browser functionality, which can be exploited if malicious or compromised.