Cybersecurity

5689 readers

180 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 1 year ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

Passkey Redaction Attacks Subvert GitHub, Microsoft Authentication (www.darkreading.com)

submitted 4 months ago by BrikoX@lemmy.zip to c/cybersecurity@sh.itjust.works

19 comments fedilink hide all child comments

Adversary-in-the-middle attacks can strip out the passkey option from login pages that users see, leaving targets with only authentication choices that force them to give up credentials.

you are viewing a single comment's thread
view the rest of the comments

[–] CaptObvious -4 points 4 months ago* (last edited 4 months ago) (14 children)

Wait, haven’t some sources been touting how ultra-secure and unbreakable passkeys are? And now we find that they’re susceptible to comparatively simple MITM attacks?

[–] xyguy@startrek.website 18 points 4 months ago (12 children)

This is just someone siting in the middle and modifying a page not to show the passkey login option anymore and then stealing a password/session token.

As far as I can tell, this has almost nothing to do with passkeys specifically and would only apply in a situation where a website has a username and password fallback in case a passkey isn't created or isnt working.

[–] CaptObvious -3 points 4 months ago (3 children)

If The Next Big Thing can be sidelined by simply blocking its login option, that’s a problem. Not only is it not secure, it’s not even reliably usable.

[–] xyguy@startrek.website 2 points 4 months ago (1 children)

This is more like triple bolting the door but leaving a window open. There's nothing inherently wrong with the door, its still secure but you can bypass the secure option with a less secure method.

[–] CaptObvious 2 points 4 months ago

Arguably, it’s more like someone is able to hide the door altogether and force you to climb through the less-well-secured window. The fact that they can hide the door at all makes its locks meaningless.

I get that this is an inherent problem of security mechanisms in general and not of passkeys in particular. But it still reduces passkeys to just fancy passwords. They’re obviously not any more reliable in practice.

load more comments (1 replies)

load more comments (9 replies)

load more comments (10 replies)