21 votes

PassKey account takeover in all mobile browsers (via Bluetooth)

Posted March 13 by gco

Tags: security.cyber, passkeys, authentication, browsers, author.tobia righi, source.mastersplinter, apps.mobile

https://mastersplinter.work/research/passkey/

Link information

This data is scraped automatically and may be incorrect.

Authors: Me
Published: Feb 24 2025
Word count: 2189 words

1 comment

skybrian
March 13
Link
From the article: ... ... So, I guess it's fixed.
From the article:
There are two clear prerequisites for this attack to work against a victim on a mobile device:

An attacker controlled (evil) device within BLE range (< 100m)

A victim visiting an attacker controlled page
...

All major mobile browsers were found vulnerable, in this case the vulnerability is simply allowing FIDO:/ intents to be triggerable by a page. All fixes consisted in blacklisting such URIs from being navigable.

...

I would like to give special thanks to all the browsers teams for fixing this issue relatively quickly.

So, I guess it's fixed.
8 votes

Topic info

Short link
Comments: 1 comment (1 thread)
Last comment posted: March 13
Topic log (6): riQQ added tag 'apps.mobile' and removed tag 'apps' (5d 22h ago)

riQQ added tag 'apps' (5d 22h ago)

skybrian changed title from "PassKey account takeover in all mobile browsers" to "PassKey account takeover in all mobile browsers (via Bluetooth)" (12d 2h ago)

cfabbro changed title from "PassKey Account Takeover in All Mobile Browsers" to "PassKey account takeover in all mobile browsers" (12d 4h ago)

cfabbro added tags 'source.mastersplinter', 'author.tobia righi' (12d 4h ago)

gco (OP) changed title from "CVE-2024-9956 - PassKey Account Takeover in All Mobile Browsers" to "PassKey Account Takeover in All Mobile Browsers" (12d 18h ago)