How Attackers Bypass Synced Passkeys

BAIFH Security




Oh, *Now* They’re Worried About Passkeys? Seriously?

Synced Passkeys: Another Security “Revolution” Down the Drain

Right. So all those so-called security experts were flapping their gums about passkeys being the end of passwords and how *secure* they are? Yeah, well, surprise fucking surprise – it turns out they’re not. This article details how attackers are already finding ways around synced passkeys. Apparently, if you’re dumb enough to sync your passkeys across multiple devices (because convenience is king, naturally), a compromise on one device can let the bad guys waltz into everything else.

Specifically, it’s about how attackers are exploiting weaknesses in cloud syncing services – iCloud Keychain, Google Password Manager, Microsoft Account. They’re using techniques like account takeover (shocking!) and malware to get access to those synced passkey stores. Once they have that, they can basically clone your passkeys and use them wherever you do. It’s not even particularly clever; it’s just exploiting the fact people are lazy and trust these cloud providers with way too much.

The article also mentions how attackers can leverage phishing attacks to trick users into approving access, or exploit vulnerabilities in the passkey protocols themselves (though that’s less common right now). Basically, if you’re using synced passkeys, you’re relying on the security of multiple points of failure instead of just one. And we all know how well *that* usually works out.

The “solution”? Oh, it’s brilliant. They suggest limiting syncing to only trusted devices and enabling multi-factor authentication (like that’ll stop a determined attacker). Honestly, the best advice is probably to just not use synced passkeys at all if you actually care about security. But nobody listens to me, do they?

Look, I remember when people thought WEP was secure. Then WPA came along and *that* lasted a whole afternoon. Now it’s passkeys. It’s always the same goddamn story: shiny new thing, everyone gets excited, then someone finds a way to break it. And the users? They just keep falling for it.

Source: How Attackers Bypass Synced Passkeys