Techly NewsGet the app

Get the latest tech news

CVE-2024-9956 – PassKey Account Takeover in All Mobile Browsers


Phishing PassKeys credentials using browser intents

To put it simply, when a web application wants to make use of PassKeys to authenticate a user it must tell the browser which origins (or RP) are allowed to register and request credentials for that site. The way a web application tells the browser (Client) to start a WebAuthn authentication is using the javascript call: navigator.credentials.get passing the RP’s public key returned by the backend like so: When he isn’t paying attention the attacker, who also deserves a name so we’ll call her Alice, slips a raspberry pi pico equipped with a GSM and BLE module into his backpack.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of takeover

takeover

Photo of passkey

passkey

Photo of cve-2024

cve-2024

Related news:

News photo

UK competition probe of mobile browsers finds Apple-Google duopoly is ‘anti-innovation’

News photo

Apple Says UK Regulator's Remedy Options on Mobile Browsers Will Hit Innovation

News photo

The Honda-Nissan merger is dead | Always more of a takeover than a merger, they agreed to call the whole thing off.

« Google unveils redesigned $499 Pixel 9a
Google's New $499 Pixel 9a Tops the iPhone 16e in Four Ways »