Passkeys Pwned:
Turning WebAuthn Against Itself


The Passkeys Pwned attack highlights a passkey implementation flaw, specifically that of WebAuthn in the registration and authentication process, allowing unauthorized access to enterprise SaaS apps and resources.
Passkeys Pwned

See how SquareX's Browser Detection and Response (BDR) solution prevents passkey bypasses

The Passkeys Pwned Talk Summary

As outlined in the DEF CON abstract below, the Passkeys Pwned attack highlights a passkey implementation flaw, specifically that of WebAuthn in the registration and authentication process, allowing unauthorized access to enterprise SaaS apps and resources.

DEF CON 33 Passkeys Pwned Talk Abstract

"This presentation demonstrates how attackers can proxy WebAuthn API calls to forge passkey registration and authentication responses. We'll showcase this using a browser extension as an example, but the same technique applies to any website vulnerable to client-side script injection, such as XSS or misconfigured widgets."

Mitigation

For Enterprises

Audit Browser Extensions

Conduct a comprehensive audit of your organization’s browser extensions, including dynamic analysis of its real-time behavior, blocking any extensions that are injecting suspicious scripts that could lead to a Passkeys Pwned attack. This audit should not only be done at the point of installation, but rather continuously as popular, benign extensions can commonly turn malicious due to an attacker compromise or purchase.

Harden the Browser

Given the browser is the main user interface for passkeys, it is critical to implement browser-native security to inspect and block all malicious scripts from running, including those injected by malicious extensions and XSS attacks. SquareX’s Browser Detection and Response solution can prevent attackers from calling WebAuthn APIs in the user’s browser, preventing the generation of attacker key pairs in the first place.

The SquareX Solution

SquareX's extension turns any browser on any device into an enterprise-grade secure browser. SquareX is the only solution that combines all three key components of browser security in a single platform:

  • Browser Detection and Response to detect & mitigate web attacks including identity attacks, malicious extensions advanced spearphishing attacks and malicious files
  • Enterprise browser to provide secure access to enterprise apps including VDI reduction, BYOD, 3rd party contractors and remote workers
  • Browser DLP including GenAI DLP, clipboard DLP, file DLP, insider attacks and data exfiltration attacks

The lightweight browser extension that is compatible with all major popular browsers including Chrome, Edge, Safari and Firefox and can be easily deployed across both managed and unmanaged devices.