Published on: 2025-03-19

Intelligence Report: CVE-2024-9956 PassKey Account Takeover in All Mobile Browsers – Mastersplinter.work

1. BLUF (Bottom Line Up Front)

The vulnerability CVE-2024-9956 allows attackers within Bluetooth range to initiate a PassKey account takeover via mobile browsers. This exploit leverages misconfigurations in PassKey implementations, enabling attackers to phish credentials and compromise user accounts. Immediate attention to secure PassKey configurations and cross-device authentication protocols is recommended to mitigate this risk.

2. Detailed Analysis

The following structured analytic techniques have been applied for this analysis:

General Analysis

The vulnerability arises from the ability of attackers to trigger FIDO intents through maliciously crafted URLs, which are processed by mobile browsers. This allows attackers to initiate legitimate PassKey authentication requests that are redirected to attacker-controlled devices. The exploit is exacerbated by permissive origin settings, subdomain takeovers, and inadequate email validation, leading to potential account takeovers.

The research highlights the importance of secure origin validation and the risks associated with cross-device authentication flows. The vulnerability underscores the need for robust security boundaries in PassKey implementations to prevent misuse of credentials and unauthorized access.

3. Implications and Strategic Risks

The exploitation of CVE-2024-9956 poses significant risks to user privacy and security, with potential impacts on financial institutions, e-commerce platforms, and other sectors reliant on PassKey authentication. The vulnerability threatens national security by enabling unauthorized access to sensitive systems and data. Economic interests are at risk due to potential financial fraud and reputational damage to affected organizations.

4. Recommendations and Outlook

Recommendations:

• Implement strict origin validation and whitelist acceptable origins to prevent misuse of credentials.
• Enhance cross-device authentication protocols to ensure secure communication and prevent phishing attacks.
• Conduct regular security audits and penetration testing to identify and mitigate vulnerabilities in PassKey implementations.
• Promote awareness and training for developers and users on secure authentication practices.

Outlook:

In the best-case scenario, rapid implementation of security measures will mitigate the vulnerability, restoring confidence in PassKey authentication. In the worst-case scenario, widespread exploitation could lead to significant financial losses and erosion of trust in digital authentication systems. The most likely outcome involves a gradual improvement in security practices, driven by regulatory pressure and technological advancements.

5. Key Individuals and Entities

The report does not mention specific individuals by name but emphasizes the role of developers, security researchers, and organizations involved in the implementation and oversight of PassKey authentication systems.