Overview

• SquareX researchers detailed at DEF CON 33 how a malicious extension can intercept passkey setup in the browser and replace WebAuthn calls with attacker-controlled code.
• The attack generates an attacker’s own key pair, can exfiltrate the private key, and can prompt users to re-register so the new passkey can be stolen.
• From the user’s perspective the prompts appear legitimate, and common enterprise security tools do not provide visibility into this browser-layer manipulation.
• The findings are a proof-of-concept with no confirmed in-the-wild cases reported, underscoring that passkeys still depend on a trusted browser environment.
• With more than 15 billion passkeys now in use, researchers advise auditing or removing untrusted extensions, keeping browsers updated, using antivirus, pairing sign-ins with authenticator apps, and limiting devices for sensitive logins.