SquareX Reveals Critical Passkey Flaw at DEF CON 33

Think passkeys are the ultimate shield against cyber threats? Think again! SquareX just dropped a bombshell at DEF CON 33, revealing a major vulnerability that could put your banking and personal accounts at risk. It turns out, your browser might be the weakest link. Are your digital defenses truly secure?

The promise of a passwordless future through passkeys has captivated the cybersecurity landscape, with over 15 billion accounts globally leveraging FIDO authentication for enhanced security. This innovative method, designed to eliminate vulnerabilities inherent in traditional passwords, relies on cryptographic key pairs for a seamless and protected login experience. However, new SquareX research unveiled at DEF CON 33 has critically challenged this secure facade, exposing a major passkey vulnerability that places banking, shopping, and enterprise SaaS applications at significant risk.

Fundamentally, passkeys operate by replacing static passwords with a sophisticated pair of cryptographic keys. A unique private key is securely stored on the user’s device, while its corresponding public key resides on the website’s server. During authentication, users verify their identity locally using biometrics, a hardware key, or a PIN, which grants access to the private key. The website then validates this signature against the public key, ensuring secure access. This robust design was intended to bolster security by inextricably linking authentication to both a pre-registered device and the specific website, thereby circumventing the common pitfalls of stolen, reused, or weak passwords.

squarex-reveals-critical-passkey-flaw-at-def-con-33-images-0

Critically, the entire communication pathway between the server and the user’s device during a passkey transaction is routed through the web browser. This fundamental operational model assumes an inherent “honesty” in the browser environment. Researchers demonstrated that this assumption is dangerously flawed; through the deployment of relatively simple scripts and malicious browser extensions, attackers can deftly intercept and illicitly forge the passkey registration process, granting them unauthorized access to user accounts without requiring the actual device or biometric verification.

The implications of this browser security oversight are far-reaching, enabling attackers to not only bypass existing passkey protections but also to actively manipulate the authentication workflow. Even when legitimate passkeys are already registered, malicious actors can engineer scenarios where standard passkey logins fail, compelling users to re-register their passkeys. This forced re-registration can then occur within an attacker-controlled environment, effectively handing over control of the user’s account to the cybercriminal.

Alarmingly, traditional cybersecurity defenses prove insufficient against these sophisticated passkey exploits. Security tools such as Endpoint Detection and Response (EDR) and Security Service Edge (SSE) platforms lack the granular visibility required within the browser to detect such intricate attacks. From a user’s perspective, the malicious activity is indistinguishable from a legitimate passkey workflow, providing zero visual indicators or discernible network signals that could verify the authenticity of the authentication service or request. This stark reality underscores a critical gap in conventional security postures.

As enterprises increasingly migrate their operations, with over 80% of corporate data now residing in SaaS applications, passkeys have rapidly emerged as the preferred and often mandated authentication method for accessing these vital platforms. The SquareX research definitively highlights that browsers, rather than being a neutral conduit, represent a significant vulnerable point in the passkey security chain. They provide fertile ground for multiple attack vectors that malicious actors can exploit to compromise passkeys and, by extension, gain unauthorized access to critical enterprise SaaS data.

Recognizing this burgeoning threat, SquareX has pioneered an innovative solution: Browser Detection and Response (BDR). Described as an “EDR in the browser,” this industry-first solution empowers organizations to proactively detect, mitigate, and threat-hunt client-side web attacks. BDR specifically targets malicious browser extensions, advanced spearphishing, browser-native ransomware, and even GenAI DLP, offering a comprehensive defense directly within the user’s browser environment. Unlike cumbersome legacy security approaches, SquareX BDR seamlessly integrates with existing consumer browsers, ensuring robust protection without compromising user experience or productivity.

As passkeys continue to solidify their position as the gold standard for authentication, it becomes paramount for enterprises to implement robust browser security measures. SquareX’s insights underscore the urgent need to protect the very environment where users and their passkeys primarily interact – the browser. By delivering unparalleled visibility and control directly within this critical vector, organizations can significantly reduce their attack surface, acquire actionable intelligence, and fortify their overall cybersecurity posture against the newest and most insidious client-side threats.