According to PANews, a new type of attack has been identified that can bypass WebAuthn key-based login systems. The discovery was made by 23pds, Chief Information Security Officer at SlowMist Technology, who shared the findings on the X platform. This attack allows perpetrators to hijack the WebAuthn API through malicious browser extensions or by exploiting XSS vulnerabilities on websites. Consequently, attackers can force a downgrade to password login or manipulate the key registration process to steal user credentials.
This vulnerability does not require access to the victim's device or Face ID. Users logging in with keys on compromised websites or those with malicious extensions may face identity impersonation, leading to account breaches.
WebAuthn, or Web Authentication, is a web standard developed by the W3C and FIDO Alliance. It aims to provide secure authentication through public key cryptography, either as a replacement or supplement to traditional passwords. Users can log in using hardware security keys like YubiKey, built-in platform authenticators such as Windows Hello, Touch ID, Android biometrics, or devices compliant with the FIDO2 standard.