Passkeys aren’t attack-proof, not until properly implemented
- by nlqip
“We used the standard GitHub phishlet that can be found in various user repositories on GitHub itself,” Stewart said. “When the targeted user visits the lure URL, other than the hostname in the URL bar, what they will see looks just like the normal GitHub login page, because it is the actual GitHub login page, just proxied through Evilginx.”
However, by slightly modifying the standard phishlet configuration, we can remove the “Sign in with a passkey” text, Stewart added demonstrating how easily a user can be tricked into choosing a backup, password-based authentication.
The study noted that these kinds of attacks can be staged for cases where passkeys are used as the first factor as well as the second-factor authentication method. “Unless the user specifically remembers that they should see a passkey option, they will most likely simply enter their username and password, which will be sent to the attacker along with the authentication token/cookies, which the attacker can use to maintain persistent access to the account,” Stewart added.
Source link
lol
“We used the standard GitHub phishlet that can be found in various user repositories on GitHub itself,” Stewart said. “When the targeted user visits the lure URL, other than the hostname in the URL bar, what they will see looks just like the normal GitHub login page, because it is the actual GitHub login page,…
Recent Posts
- Eight Key Takeaways From Kyndryl’s First Investor Day
- QNAP pulls buggy QTS firmware causing widespread NAS issues
- N-able Exec: ‘Cybersecurity And Compliance Are A Team Sport’
- Hackers breach US firm over Wi-Fi from Russia in ‘Nearest Neighbor Attack’
- Microsoft rolls out Recall to Windows Insiders with Copilot+ PCs