Source URL: https://mastersplinter.work/research/passkey/
Source: Hacker News
Title: CVE-2024-9956 – PassKey Account Takeover in All Mobile Browsers
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The provided text discusses a significant vulnerability found in major mobile browsers that enables an attacker within Bluetooth range to exploit FIDO URIs, undermining the security assumptions around PassKeys authentication. This insight highlights the risks associated with PassKeys and the potential for phishing attacks, making it crucial for security professionals to understand these vulnerabilities.
Detailed Description: The text elaborates on a vulnerability that affects mobile browser security concerning PassKeys, a modern method of secure authentication. Here are the key points and implications:
– **Vulnerability Overview**: An attacker within Bluetooth range can trigger navigation to a FIDO:/ URI from a malicious page, leading to unauthorized access to PassKeys credentials.
– **Research Background**: Initiatives to understand various Cross-Device authentication protocols reveal weaknesses in PassKeys. The author emphasizes the irony that while PassKeys are considered secure, their implementation can still expose users to phishing attacks.
– **Key Concepts**:
– **Multiple Origins**: Weak origin checks could allow attackers to initiate phishing attempts.
– **Account Takeover (ATO)**: An attacker can overwrite a victim’s credentials if proper validation isn’t present.
– **Phishing Mechanism**:
– Steps of the attack are outlined, showing how a victim might inadvertently authenticate through a phishing link, allowing an attacker to gain unauthorized access:
– Victim clicks a link on a malicious page.
– The attacker initiates WebAuthn authentication and extracts a FIDO URI.
– The victim’s authenticator connects to the attacker’s device, unintentionally providing access.
– **Technical Insights**:
– The communication between client and authenticator is outlined through BLE (Bluetooth Low Energy), establishing proximity as a security measure.
– The attack exploits the FIDO:/ URI’s ability to navigate mobile browsers, undermining the intended security protections.
– **CVE-2024-9956**: The vulnerability affects major mobile browsers like Safari, Chrome, and Firefox, requiring urgent fixes to blacklist vulnerable URIs.
– **Attack Scenarios**: Two realistic attack situations are presented:
– **Public Wi-Fi Phishing**: Setting up a malicious access point in crowded areas (like airports) where users are encouraged to log in using social media accounts.
– **Targeted Phishing**: A more personalized approach where an attacker collects OSINT to target specific users, luring them through convincing phishing strategies.
– **Conclusion**: The author acknowledges the quick response from browser teams in patching the vulnerabilities and encourages more research into PassKeys security.
This blog post underscores critical insights into the practical implications of web authentication vulnerabilities, making it an essential read for security professionals focused on authentication methods, web application security, and potential phishing threats. Understanding these vulnerabilities will help professionals bolster security measures around PassKeys and similar authentication technologies.