Report URI shares the results of a targeted penetration test on their newly implemented Passkeys (WebAuthn-based 2FA) feature. Eight findings were identified by Pentest Ltd., including empty/overlong/duplicate credential IDs, an origin mismatch bug in the WebAuthn library, cross-origin validation failure, unvalidated user handle, invalid attestation statements, invalid backup flags, and improper token binding handling. None of the findings posed an actual security risk or allowed unauthorized access. Several bugs were patched both locally and upstreamed to the WebAuthn library. The full penetration test report is published publicly.
Sort: