undefined | Better HN

0 pointstadfisher1mo ago0 comments

> He then walks them through "updating" their app, effectively going through the "new device" workflow - except the new device is the same as the old one, just with the backdoored app.

This is where the scheme breaks down: the new passkey credential can never be associated with the legitimate RP. The attacker will not be able to use the credential to sign in to the legitimate app/site and steal money.

The attacker controls the fake/backdoored app, but they do not control the signing key which is ultimately used to associate app <-> domain <-> passkey, and they do not control the system credentials service which checks this association. You don't even need attestation to prevent this scenario.

0 comments

Tharre1mo ago

> do not control the signing key which is ultimately used to associate app <-> domain <-> passkey, and they do not control the system credentials service which checks this association.

You're assuming the attacker must go through the credential manager and the backing hardware, but that is only the case with attestation. Without it, the attacker can simply generate their own passkey in software, because the backend on the banks side would have no way of telling where the passkey came from.

tadfisherOP1mo ago

How did the service authenticate the user in order to create the new credential within the attacker-controlled app?

Tharre1mo ago

With banks, typically a combination of your account number, pin and some confirmation code sent via email or SMS. And of course unregistering your previous device. Not sure where you're going with this though?

1 more reply

j / k navigate · click thread line to collapse

0 pointstadfisher1mo ago0 comments

> He then walks them through "updating" their app, effectively going through the "new device" workflow - except the new device is the same as the old one, just with the backdoored app.

0 comments

Tharre1mo ago

> do not control the signing key which is ultimately used to associate app <-> domain <-> passkey, and they do not control the system credentials service which checks this association.

tadfisherOP1mo ago

How did the service authenticate the user in order to create the new credential within the attacker-controlled app?

Tharre1mo ago

1 more reply

j / k navigate · click thread line to collapse