scy, Okay wait, is this really the #FIDO2 #Passkey #PIN flow on #Firefox?
First screenshot is the real PIN prompt, second one is a JavaScript prompt() with a custom prompt text.
The only differences are:
• PIN dialog is at the top of the window, prompt() centered.
• PIN dialog says "Sign In" on the button, prompt() says "OK" (which is not customizable).
• PIN dialog has "https://", prompt() just the domain.I'd say that makes it pretty trivial to phish for Passkey PINs … 🤦♂️
Add comment