Curated from Security – Ars Technica — Here’s what matters right now:
Don’t believe everything you read—especially when it’s part of a marketing pitch designed to sell security services. The latest example of the runaway hype that can come from such pitches is research published today by SquareX , a startup selling services for securing browsers and other client-side applications. It claims, without basis, to have found a “major passkey vulnerability” that undermines the lofty security promises made by Apple, Google, Microsoft, and thousands of other companies that have enthusiastically embraced passkeys. Ahoy, face-palm ahead “Passkeys Pwned,” the attack described in the research, was demonstrated earlier this month in a Defcon presentation . It relies on a malicious browser extension, installed in an earlier social engineering attack, that hijacks the process for creating a passkey for use on Gmail, Microsoft 365, or any of the other thousands of sites that now use the alternative form of authentication. Read full article Comments
Next step: Stay ahead with trusted tech. See our store for scanners, detectors, and privacy-first accessories.
Original reporting: Security – Ars Technica