Passkeys Pwned: Turning WebAuthn Against Itself

Presented at DEF CON 33 (2025), Aug. 10, 2025, 11:30 a.m. (45 minutes).

Over the past three years, passkeys have gained widespread adoption among major vendors like Apple, Google, and Microsoft, aiming to replace passwords with a more secure authentication method. However, passkeys haven't yet faced the extensive scrutiny that passwords have endured over decades. As they become central to enterprise identity, it's crucial to examine their resilience. This presentation demonstrates how attackers can proxy WebAuthn API calls to forge passkey registration and authentication responses. We'll showcase this using a browser extension as an example, but the same technique applies to any website vulnerable to client-side script injection, such as XSS or misconfigured widgets. The extension serves merely as a controlled means to proxy credential flows and manipulate the WebAuthn process. We'll delve into the underlying theory, present the exploit code, and provide a live demonstration of an attack that succeeds on sites relying on passkeys without enforcing attestation or metadata checks—a common scenario among vendors. If you’re relying on passkeys, this is the side of the flow you don’t usually get to see. References: - Web Authentication API - mdn web docs - for API documentation - [link](passkeys.io) and [link](passkeys-demo.appspot.com)- for trying out the passkey flow easily - Passwordless login with passkeys by Google Identity - [link](https://developers.google.com/identity/passkeys) - Passkey AAGUIDs list - [link](https://github.com/passkeydeveloper/passkey-authenticator-aaguids)

Presenters:

• Shourya Pratap Singh
  Shourya Pratap Singh is responsible for building SquareX's security-focused extension and conducts research on countering web security risks. As a rising figure in cybersecurity, Shourya has presented his work on global stages including the DEFCON main stage, Recon Village, and Adversary Village, as well as at Black Hat Arsenal EU. He has also delivered several workshops at prestigious events such as the Texas Cyber Summit. Shourya earned his bachelor's degree from IIIT Bhubaneswar and holds a patent. His professional interests focus on strengthening the security of browser extensions and web applications.
• Jonny Lin
  Jonny Lin is a frontend engineer on the extension team at SquareX, where he works on browser security challenges like data loss prevention and detecting web-based vulnerabilities. Before joining SquareX, he was a founding engineer at Velt (YC W23), building collaborative frontend infrastructure for real-time apps. He holds a computer science degree from Santa Clara University and has a strong interest in browsers and pushing the limits of what's possible on the frontend.
• Daniel Seetoh
  Daniel Seetoh currently works on the development of SquareX's browser extension and web app. With a focus on the frontend, Daniel brings a versatile skillset that augments his approach towards cybersecurity. He has earned his degrees from Nanyang Technological University, and enjoys building out products and providing value to users.

Similar Presentations:

• DEF CON 32 (2024) / Modem Operandi, or: How I Owned Hundreds of Millions of Broadband Basebands
• Global AppSec - DC 2019 / Building Secure Password-less Web Applications using WebAuthn
• CrikeyCon VII (2021) / Mad Monster Standards - Exploring Webauthn