- Browsers are the weak joint that attackers are now utilizing for control
- Squarex shows how trivial manuscripts can intercept and hijack the bagy currents
- From a user’s perspective, fake Basky -requests look completely genuine
For years, the shift away from passwords against parcels has been framed as the future of safe approval.
By relying on cryptographic key pairs instead of weak or recycled strings promised to remove the risks that have long plagued password systems.
However, at the recent DEF CON 33 event, Squarex scientists presented new findings that challenge this view, claiming that the very browsers who depend on managing Passkey work can be exploited in ways to bypass their protection.
The mechanics of the bags
Passkeys works through a system where a private key remains on a user’s device, while a public key is stored by the service provider.
To log in verifies the user identity locally with biometrics, a pin or a hardware token, and the server authenticates the response to its stored public key.
This structure should eliminate many of the classic risks, such as phishing or brute force attacks, yet the whole process assumes that the browser acts as a reliable broker, a role that Squarex researchers now claim is dangerously fragile.
They showed how attackers can manipulate the browser environment with malicious extensions or manuscripts so that they can intercept the registration stream, replace keys and even fool users to register under striker -controlled conditions.
From the victim’s perspective, the login process does not appear to be distinguished from a legitimate Pasky operation without warning signs that credentials are compromised.
Established business security tools, whether endpoint protection or network defense, do not provide visibility to this level of browser activity.
“Passingys are a very trusted form of approval, so when users see a biometric prompt, they take it as a signal for security,” said Squarex scientist Shourya Pratap Singh.
“What they don’t know is that attackers can easily decay Padkey registrations and approval by listening to Passkey Workflow in the browser. This puts virtually any business and consumer application, including critical banking and data storage apps, at risk.”
With the majority of company data now stored in SaaS platforms, parcel -cuts are quickly adopted as a standard approval method.
Squarex’s findings suggest that this transition introduces a new dependence on browser security, an area where the supervision has traditionally been weak.
Passkey’s may still represent progress in addition to traditional credentials, but Squarex Research shows that no system is completely free of shortcomings and organizations may have moved too quickly to embrace the bags as a universal solution.
How to remain safe
- Use a trusted antivirus to detect and block hidden malicious code.
- Install only extensions from verified sources and review their permissions regularly.
- Keep browsers up to date to make sure the latest security fixes are used.
- Apply a password administrator to safely handle older accounts that are still dependent on passwords.
- Pair of login processes with an authentication app to strengthen verification steps.
- Regular Audit Browser Settings to minimize exposure to non-confined scripts or additions.
- Limit the number of devices used for sensitive login to reduce attack options.
