Techly NewsGet the app

Get the latest tech news

Your passkeys could be vulnerable to attack, and everyone - including you - must act


When a clickjack attack managed to hijack a passkey authentication ceremony, were password managers really to blame? ZDNET's investigation reveals a more complicated answer.

At this year's DEF CON conference in Las Vegas, white hat security researcher Marek Tóth demonstrated how threat actors could use a clickjack attack to surreptitiously trigger and hijack a passkey-based authentication ceremony. In Tóth's exploit, the malicious JavaScript paints the browser window with a seemingly innocent dialog like a pop-up ad or cookie consent form -- the sort of thing we see all the time and just want to clear off our screen. However, it does nothing to stop the threat actor's exfiltration of the user's ID and password when Tóth's clickjack attack encounters an attempt to authenticate with those traditional credentials versus the more time-sensitive and secure passkeys.

Get the Android app

Or read this on ZDNet

Read more on:

Photo of attack

attack

Photo of Passkeys

Passkeys

Related news:

News photo

Ruby Central's Attack on RubyGems [pdf]

News photo

Two Scattered Spider teens charged over attack on London’s transport network

News photo

DDoS defender targeted in 1.5 Bpps denial-of-service attack

« French telecoms giant sparks Socialist MP’s anger with new VPN
A 3D-Printed Business Card Embosser »