Unpacking Passkeys Pwned: Possibly the most specious research in decades
Malicious browser extensions can create attacker-controlled passkeys bound to legitimate domains, allowing account takeover and undermining the perceived theft immunity of passkeys.