scy, 2 months ago

Okay wait, is this really the #FIDO2 #Passkey #PIN flow on #Firefox?

First screenshot is the real PIN prompt, second one is a JavaScript prompt() with a custom prompt text.

The only differences are:

• PIN dialog is at the top of the window, prompt() centered.
• PIN dialog says "Sign In" on the button, prompt() says "OK" (which is not customizable).
• PIN dialog has "https://", prompt() just the domain.

I'd say that makes it pretty trivial to phish for Passkey PINs … 🤦‍♂️

#ITSecurity #OpSec

Screenshot of a popup somewhat similar to the first one. This time, it's a JavaScript live demo on w3schools.com. The popup dialog has a world icon, followed by "www.w3schools.com" as its title, followed by the text "Please enter the PIN for your device." Below that, a wide text input field, with two buttons below it: "Cancel" and "OK". The dialog is not overlapping the URL bar this time, but centered in the viewport.