Executive Summary

PassKeys, hailed as a revolutionary step in secure authentication, have recently been found vulnerable to a critical flaw across all major mobile browsers. This vulnerability, identified as CVE-2024-9956, enables attackers within Bluetooth Low Energy (BLE) range to take over PassKeys accounts by exploiting FIDO:/ intents. As the cybersecurity community grapples with this issue, the implications for sectors relying on mobile authentication, especially in regions heavily adopting mobile payment systems, are profound. This report delves into the technical details of the vulnerability, its exploitation in the wild, and the mitigation strategies that have been employed by browser vendors to safeguard users.

Technical Information

PassKeys are designed to enhance security by replacing traditional passwords with a mechanism that is supposed to be un-phishable. The vulnerability discovered in major mobile browsers like Safari, Chrome, and Firefox Mobile challenges this assumption, as attackers can exploit FIDO:/ intents to initiate authentication on their own devices. This exposes users to phishing attacks, undermining the security of PassKeys.

The essence of this vulnerability lies in the misuse of FIDO:/ intents used by WebAuthn to start authentication requests. An attacker, within a BLE range of less than 100 meters, can initiate a PassKeys authentication intent that is unwittingly accepted by the victim's device. For this attack to succeed, the victim must visit an attacker-controlled web page. Once the victim clicks on a link, the attacker's device sends a WebAuthn authentication request. This request includes a FIDO:/ link which, when redirected, causes the victim's PassKey manager to pop up and connect to the attacker's client. If the victim confirms the authentication, the attacker gains unauthorized access to the victim's account.

Exploitation of this vulnerability has been demonstrated in real-world scenarios such as the AirPort Free Wi-Fi Attack, where attackers set up rogue Wi-Fi captive portals to phish credentials, and the Crypto Heist, where small devices like Raspberry Pi are used to target high-value individuals. These examples underscore the pressing need for enhanced security measures.

Mitigation strategies have been swiftly implemented by major browser vendors. By blacklisting FIDO:/ intents from being navigable by pages, vendors like Chromium, Safari, and Firefox have taken significant steps to prevent this vulnerability from being exploited. However, this incident highlights the need for ongoing vigilance and innovation in the field of authentication security.

Affected products include all versions of mobile browsers such as Safari, Chrome, and Firefox Mobile. The vulnerability has triggered a re-evaluation of PassKeys' security and urges stakeholders to conduct comprehensive security assessments to prevent future breaches.

References

• Original Research and Blogpost by Tobia Righi, Security Researcher
• CrossCheck tool for testing vulnerabilities: https://github.com/Splinter0/CrossCheck
• NVD Detail on CVE-2024-9956: https://nvd.nist.gov/vuln/detail/CVE-2024-9956
• Chromium Issue Tracker for CVE-2024-9956: https://issues.chromium.org/issues/370482421

Rescana is here for you

At Rescana, we are committed to assisting our clients in navigating the complexities of cybersecurity. Our Third Party Risk Management (TPRM) platform is designed to identify and mitigate risks associated with vulnerabilities such as CVE-2024-9956. We provide expert guidance and support to help you safeguard your assets and maintain robust security postures. Should you have any questions about this report or any other cybersecurity concerns, please do not hesitate to contact us at ops@rescana.com.