SquareX Discloses Architectural Limitations of Browser DevTools in Debugging Malicious Extensions
SquareX Reveals that Employees are No Longer the Weakest Link, Browser AI Agents Are
SquareX Raises $20 Million for Revolutionary Browser Detection and Response Solution
New Attack Discovered by SquareX Exploits Browser Fullscreen APIs to Steal Credentials in Safari
SquareX discovers how polymorphic extensions impersonate legitimate extensions to harvest credentials.
SquareX Discloses Major Passkey Vulnerability at DEF CON 33

Passkeys Pwned:
Turning WebAuthn Against Itself


On the DEFCON 33 main stage, SquareX researchers disclosed a major passkey vulnerability that uses malicious extensions/scripts to fake passkey registration and logins, allowing attackers to access enterprise SaaS apps without the user’s device or biometrics.

This discovery breaks the myth that passkeys cannot be stolen, demonstrating that “passkey stealing” is not only possible, but as trivial as traditional credential stealing.
Passkeys Pwned

See how SquareX's Browser Detection and Response (BDR) solution prevents passkey bypasses

The Passkey Pwned Attack

The Passkey Pwned attack exploits the fact that there is no secure communication channel between the authenticator (device) and the service provider (web app). The browser is the primary interface for users to register authenticate passkeys, and thus both sides rely on the browser to communicate honestly. Thus, an attacker can intercept and manipulate this communication within the browser (e.g. via a malicious script or browser extension) and redirect the communication to their server by replacing the WebAuthn calls navigator.credentials.create() and navigator.credentials.get() with their own code.

Passkeys Pwned Video

Mitigation

For Enterprises

Audit Browser Extensions

Conduct a comprehensive audit of your organization’s browser extensions, including dynamic analysis of its real-time behavior, blocking any extensions that are injecting suspicious scripts that could lead to a Passkeys Pwned attack. This audit should not only be done at the point of installation, but rather continuously as popular, benign extensions can commonly turn malicious due to an attacker compromise or purchase.

Harden the Browser

Given the browser is the main user interface for passkeys, it is critical to implement browser-native security to inspect and block all malicious scripts from running, including those injected by malicious extensions and XSS attacks. SquareX’s Browser Detection and Response solution can prevent attackers from calling WebAuthn APIs in the user’s browser, preventing the generation of attacker key pairs in the first place.

The SquareX Solution

SquareX's extension turns any browser on any device into an enterprise-grade secure browser. SquareX is the only solution that combines all three key components of browser security in a single platform:

  • Browser Detection and Response to detect & mitigate web attacks including identity attacks, malicious extensions advanced spearphishing attacks and malicious files
  • Enterprise browser to provide secure access to enterprise apps including VDI reduction, BYOD, 3rd party contractors and remote workers
  • Browser DLP including GenAI DLP, clipboard DLP, file DLP, insider attacks and data exfiltration attacks

The lightweight browser extension that is compatible with all major popular browsers including Chrome, Edge, Safari and Firefox and can be easily deployed across both managed and unmanaged devices.

Try SquareX Enterprise