Popular:
Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

Reverse Engineering Vercel's BotID: A Surprisingly Basic Bot Protection System?

2025-06-30

This post delves into Vercel's newly released BotID anti-bot system, focusing on its free Basic mode. The author reveals that the Basic mode's current detection mechanisms are surprisingly rudimentary and easily bypassed by manipulating browser properties. While BotID collects various signals including browser fingerprints and GPU information, its processing of these signals is basic, failing to effectively identify sophisticated bots. The author speculates that Vercel is using Basic mode to quietly gather data for training future, more robust anti-bot models. The paid Deep Analysis mode, utilizing Kasada's anti-bot scripts, is significantly more complex than Basic mode.

Read more
(www.nullpt.rs)
Development

Forging Passkeys: Exploiting the FIDO2/WebAuthn Attack Surface

2025-06-24

This article delves into the security of FIDO2 passkeys. The author reverse-engineered commercial hardware keys and platform authenticators, building a software-only authenticator that mimics a FIDO2 device without kernel drivers. This allowed forging and replaying passkey signatures for headless logins. The process detailed includes capturing real-world traffic, decoding HID handshakes, verifying attestation data, building a software CTAP2 engine, and exploiting Chrome's built-in virtual authenticator. The author successfully logged in without a real security key, highlighting vulnerabilities and proposing mitigations like mandatory sign-counter enforcement, CDP permission restrictions, and relying-party-side checks to enhance passkey security.

Read more
(www.nullpt.rs)
Tech Passkey Security