TechFlow, September 22 — SlowMist Information Security Officer 23pds posted on X platform about a new WebAuthn key login bypass attack method. Attackers can hijack the WebAuthn API through malicious browser extensions or website XSS vulnerabilities, forcing a downgrade to password-based login or tampering with the key registration process to steal credentials. This attack can be carried out without physical access to the device or accessing biometric functions.
WebAuthn is an important web authentication standard developed by the W3C and FIDO Alliance, supporting various authentication methods such as hardware keys and biometrics, and is currently widely used for secure website logins. Relevant enterprises and users are advised to promptly pay attention to this security risk.
