PassKeys Phishing Vulnerability in Major Mobile Browsers: Bluetooth Range Attack
2025-03-19
A security researcher discovered a vulnerability affecting all major mobile browsers, allowing attackers within Bluetooth range to hijack PassKeys accounts by triggering FIDO:/ intents. Attackers use a controlled webpage to redirect victims to a FIDO:/ URI, initiating a legitimate PassKeys authentication intent received on the attacker's device. This enables PassKeys phishing, breaking the assumption of their phishing immunity. The vulnerability doesn't require complex web application misconfigurations for account takeover. All major mobile browsers have patched this vulnerability (CVE-2024-9956).
Tech
Mobile Browsers