Passkeys aren’t attack-proof, not until properly implemented
- by nlqip
“We used the standard GitHub phishlet that can be found in various user repositories on GitHub itself,” Stewart said. “When the targeted user visits the lure URL, other than the hostname in the URL bar, what they will see looks just like the normal GitHub login page, because it is the actual GitHub login page, just proxied through Evilginx.”
However, by slightly modifying the standard phishlet configuration, we can remove the “Sign in with a passkey” text, Stewart added demonstrating how easily a user can be tricked into choosing a backup, password-based authentication.
The study noted that these kinds of attacks can be staged for cases where passkeys are used as the first factor as well as the second-factor authentication method. “Unless the user specifically remembers that they should see a passkey option, they will most likely simply enter their username and password, which will be sent to the attacker along with the authentication token/cookies, which the attacker can use to maintain persistent access to the account,” Stewart added.
Source link
lol
“We used the standard GitHub phishlet that can be found in various user repositories on GitHub itself,” Stewart said. “When the targeted user visits the lure URL, other than the hostname in the URL bar, what they will see looks just like the normal GitHub login page, because it is the actual GitHub login page,…
Recent Posts
- Arm To Seek Retrial In Qualcomm Case After Mixed Verdict
- Jury Sides With Qualcomm Over Arm In Case Related To Snapdragon X PC Chips
- Equinix Makes Dell AI Factory With Nvidia Available Through Partners
- AMD’s EPYC CPU Boss Seeks To Push Into SMB, Midmarket With Partners
- Fortinet Releases Security Updates for FortiManager | CISA