Debunking “Passkeys Pwned”: An Examination of Potentially Misleading Research in Recent Years

Beware the Hype: New Claims of Passkey Vulnerabilities Under Scrutiny

In a striking example of the alarmism that can emerge from cybersecurity marketing, a recent report from SquareX—a startup specializing in browser security—asserts the existence of a significant vulnerability involving passkeys. This claim potentially undermines the security frameworks established by major technology firms, including Apple, Google, and Microsoft, all of which have vigorously promoted the adoption of passkeys as a more secure authentication method.

The term “Passkeys Pwned” refers to a cybersecurity technique showcased in a Defcon presentation earlier this month. The attack operates through a malicious browser extension, previously installed via social engineering, designed to subvert the process of creating a passkey for services like Gmail and Microsoft 365, among many others that utilize this enhanced authentication method.

Behind the scenes, the compromised extension enables the creation of a keypair that is incorrectly tied to the legitimate domain of gmail.com; however, this keypair is generated by the malware, placing control in the hands of an attacker. Such a breach raises alarms about the integrity of cloud applications that house sensitive organizational data, emphasizing that traditional credential theft tactics can still find success in this changing landscape.

SquareX’s researchers claim this revelation dismantles the prevailing myth that passkeys remain impervious to theft. They suggest that “passkey stealing” may be just as manageable as conventional credential theft, highlighting that while passkeys are perceived as more secure, this perception may lack the robustness gained through extensive historical scrutiny and long-term resilience in various security contexts.

The implications of this development extend beyond the technical arena, raising critical considerations for business owners concerned about safeguarding sensitive information against evolving threats in cybersecurity. While the security advantages of passkeys are acknowledged, this newfound vulnerability serves as an urgent reminder that newer technologies may still harbor exploitable weaknesses.

From a cybersecurity strategy perspective, one must consider the MITRE ATT&CK framework to analyze the tactics and techniques that could have enabled this vulnerability. Initial access through social engineering, persistence via sustaining the malicious extension, and potential privilege escalation through the unauthorized control of the passkeys represent critical phases in this type of attack.

As organizations continue to embrace advanced authentication methods such as passkeys, it is imperative to maintain heightened vigilance against evolving threats. The findings presented by SquareX underscore the necessity of continual assessment and refinement of security protocols, ensuring they are resilient against both novel and traditional cyber threats.

Source

Related Posts

CryptoClippy: New Malware Targets Portuguese Cryptocurrency Users

April 5, 2023
Cyber Threat / Malware

A newly identified malware, dubbed CryptoClippy, is specifically targeting Portuguese cryptocurrency users through a malvertising campaign. This sophisticated malware employs SEO poisoning techniques to lure users searching for “WhatsApp web” to malicious domains that host the threat, according to a recent report from Palo Alto Networks’ Unit 42.

CryptoClippy, written in C, is a type of cryware known as clipper malware, which monitors clipboard activity for cryptocurrency addresses. When it detects a match, the malware substitutes the copied address with one controlled by the attacker. “The clipper malware utilizes regular expressions (regexes) to ascertain the cryptocurrency type of the address,” noted researchers from Unit 42. “It then replaces the clipboard entry with a visually similar wallet address belonging to the adversary.”

Iranian Hackers Disguised as Ransomware Operators Executing Destructive Attacks

April 8, 2023
Cyber Warfare / Cyber Threats

The Iranian nation-state group MuddyWater has been implicated in conducting destructive operations on hybrid environments while masquerading as a ransomware campaign. According to new insights from the Microsoft Threat Intelligence team, these threat actors are targeting both on-premises and cloud infrastructures, often collaborating with a recently identified cluster known as DEV-1084. “Despite efforts to present their activities as a typical ransomware operation, the irreversible damage they inflict indicates that destruction and disruption were their primary objectives,” the company reported on Friday. MuddyWater is linked to Iran’s Ministry of Intelligence and Security (MOIS) and has been active at least since 2017, also recognized by various names in the cybersecurity field, including Boggy Serpens.

MSI Confirms Ransomware Attack, Initiates Recovery Measures

In an official statement, Taiwanese PC manufacturer MSI (Micro-Star International) acknowledged being targeted by a cyber attack. The company quickly began implementing incident response and recovery protocols after observing “network anomalies.” MSI has informed law enforcement but did not provide details regarding the timing of the attack or whether any proprietary information, like source code, was compromised. The company reported that affected systems are gradually returning to normal operations with no major impact on its financial activities. In a regulatory filing with the Taiwan Stock Exchange, MSI announced plans to enhance its network and infrastructure security and advised users to obtain firmware and BIOS updates exclusively from its official website to ensure their data’s safety.