PANews reported on September 22nd that SlowMist Technology's Chief Information Security Officer, 23pds, posted on the X platform that researchers have discovered a new attack that can bypass WebAuthn key-based login. Attackers can hijack the WebAuthn API through malicious browser extensions or exploit XSS vulnerabilities on websites, forcing downgrades to password login or tampering with the key registration process to steal user credentials. This attack does not require device access or Face ID. Victims who use key login on websites with malicious extensions or vulnerabilities may experience identity impersonation, leading to account compromise.

WebAuthn (Web Authentication) is a web standard developed by the W3C and FIDO Alliance. It aims to achieve secure authentication through public key cryptography, replacing or supplementing traditional passwords. Users can log in using hardware security keys (such as YubiKey), built-in platform authenticators (such as Windows Hello, Touch ID, Android biometrics), or devices that comply with the FIDO2 standard.