SquareX, a startup selling browser and client-side security services, claims a major passkey vulnerability and presented an attack called "Passkeys Pwned." The attack uses a malicious browser extension planted via social engineering to hijack the passkey creation process for sites like Gmail and Microsoft 365. The extension creates a keypair bound to the legitimate domain but generated and controlled by the attacker, enabling access to cloud applications used for sensitive operations. SquareX states that passkey stealing is possible and as trivial as traditional credential theft, warning that passkeys lack decades of security validation.
Don't believe everything you read-especially when it's part of a marketing pitch designed to sell security services. The latest example of the runaway hype that can come from such pitches is research published today by SquareX, a startup selling services for securing browsers and other client-side applications. It claims, without basis, to have found a "major passkey vulnerability" that undermines the lofty security promises made by Apple, Google, Microsoft, and thousands of other companies that have enthusiastically embraced passkeys.
"This discovery breaks the myth that passkeys cannot be stolen, demonstrating that 'passkey stealing' is not only possible, but as trivial as traditional credential stealing," SquareX researchers wrote in a draft version of Thursday's research paper sent to me. "This serves as a wake up call that while passkeys appear more secure, much of this perception stems from a new technology that has not yet gone through decades of security research and trial by fire."
Collection
[
|
...
]