Slow Fog CISO: WebAuthn Key Login Has Significant Security Risks

ChainCatcher news, Slow Mist's information security officer 23pds posted on platform X about a new type of WebAuthn key login bypass attack method. Attackers can hijack the WebAuthn API through malicious browser extensions or website XSS vulnerabilities, forcing a downgrade to password login or tampering with the key registration process to steal credentials. This attack can be completed without physical access to the device or access to biometric features.

WebAuthn is an important web authentication standard established by W3C and the FIDO Alliance, supporting various authentication methods such as hardware keys and biometrics, and is currently widely used for secure website logins. It is recommended that relevant enterprises and users pay timely attention to this security risk.