CVE-2024-9956 – PassKey Account Takeover in All Mobile Browsers

In this blogpost I will go over a vulnerability I found in all major mobile browsers that allowed an attacker within Bluetooth range to take over PassKeys accounts by triggering FIDO:/ intents. TLDR An attacker within bluetooth range is able to trigger navigation to a FIDO:/ URI from an attacker controlled page on a mobile browser, allowing them to initiate a legitimate PassKeys authentication intent which will be received on the attacker’s device. This results in the attacker being able to “phish” PassKeys credentials, completely breaking this assumption that PassKeys are impossible to phish. While I was completing my research exploiting BankID authentication and other Cross-Device authentication protocols (which I hope to also publish soon), one thought had always haunted me: “Why did these companies go through the trouble of implementing all this stuff when PassKeys are clearly supporting their use cases?”. I simply thought this because it seemed to me that if one wanted a secure ... Read full article.