Executive Summary

SlowMist CISO 23pds has identified a significant security vulnerability in the WebAuthn key-based login system. This exploit enables attackers to hijack the WebAuthn API through malicious browser extensions or cross-site scripting (XSS) vulnerabilities. The attack allows for the theft of user credentials by either forcing a downgrade to password-based login or tampering with the key registration process. Crucially, this method bypasses the need for physical device access or biometric authentication, posing a substantial risk to platforms utilizing WebAuthn and highlighting systemic security challenges within the Web3 ecosystem.

The Event in Detail

SlowMist's Chief Information Security Officer, 23pds, has revealed a novel WebAuthn key login bypass attack. This method exploits the WebAuthn API by leveraging malicious browser extensions or XSS vulnerabilities on compromised websites. The attack's mechanism involves either coercing a downgrade to less secure password-based logins or manipulating the key registration process to surreptitiously acquire user credentials. A key characteristic of this vulnerability is its ability to operate without requiring physical access to the victim's device or interaction with biometric authenticators like Face ID or Touch ID.

The "Passkeys Pwned" attack, as demonstrated at DEF CON, further clarifies that this is an implementation flaw within WebAuthn, rather than a cryptographic weakness of the standard itself or a criticism of the FIDO Alliance. Attackers can proxy WebAuthn API calls to forge passkey registration and authentication responses. This demonstrates that common web threats, including CDN attacks, XSS, and malicious browser extensions, can facilitate unauthorized access via passkeys, even without directly compromising the user's endpoint, operating system, or browser.

Market Implications

The discovery of this WebAuthn vulnerability signals a critical need for enhanced security vigilance across the digital landscape, particularly within the Web3 ecosystem. If exploited widely, this "Credential Downgrade Attack" could lead to substantial credential theft and significant asset loss, with estimates suggesting potential impacts on digital assets worth hundreds of millions. This scenario mirrors previous supply chain risks, such as the Ledger Connect Kit CDN vulnerability, and highlights the ongoing prevalence of access control failures in Web3, which accounted for $1.6 billion in losses—nearly 70% of all stolen funds—in the first half of 2025.

The potential for widespread identity impersonation and account breaches could severely diminish user confidence in authentication methods currently perceived as secure. Affected enterprises and developers are facing an urgent mandate to review their WebAuthn implementations and deploy mitigating measures to safeguard user assets and maintain trust.

Expert Commentary

23pds of SlowMist first brought attention to this critical WebAuthn vulnerability, underscoring its potential for credential theft without requiring physical device access. Subsequently, SquareX Labs, through their "Passkeys Pwned" presentation at DEF CON, elaborated on the nature of the attack, identifying it as an implementation flaw that capitalizes on common web threats like CDN attacks, XSS, and browser extensions.

Separately, ChainGuard has published an alert regarding a broader "Credential Downgrade Attack" affecting Web3 authentication protocols, which aligns with the mechanics of the WebAuthn vulnerability by forcing less secure password-only access and facilitating the theft of private keys. To counteract these threats, security experts recommend immediate actions, including hardening browsers by rigorously inspecting and blocking malicious scripts, preventing non-whitelisted sites or extensions from accessing WebAuthn APIs, and implementing Multi-Factor Authentication (MFA) for all Identity Providers utilizing passkeys.

Broader Context

WebAuthn, a joint standard developed by the W3C and FIDO Alliance, represents a significant advancement towards passwordless and phishing-resistant authentication through the use of public key cryptography. Despite its robust design, the current reliance on centralized relying parties presents a philosophical and practical challenge to the decentralized principles of Web3.

This incident highlights the persistent issue of access control failures within the Web3 domain, which continue to be a primary vector for exploits. Furthermore, the broader landscape of Web3 security is also grappling with vulnerabilities like "blind message attacks," where users are tricked into unknowingly signing malicious transactions; such attacks have been found to risk 75.8% of tested Web3 authentication deployments. The ongoing threats necessitate robust security frameworks, consistent permission checks, and continuous adaptation to emerging attack vectors, potentially accelerating the development and adoption of fully decentralized and peer-to-peer authentication solutions to enhance the resilience of the Web3 ecosystem.