top | item 43413258

(no title)

I’m missing something. If WebAuthn is “ssh for the web” then why would it matter if Bob was phished and logged into the fake crypto portal running on the raspberry pi? It’s not like the attacker now knows his private key. Is the danger that Bob also would share his crypto wallet keys with the fake site or something?

discuss

lxgr|11 months ago

By the analogy of SSH, this vulnerability is more of an exposed/incorrectly permissioned SSH agent Unix domain socket than a private key compromise.

Whether that's catastrophic or not will vary case by case and depends on what exactly you're securing with the key.

garaetjjte|11 months ago

Attacker is now logged in on the real crypto portal as Bob. SSH equivalent would be like connecting to malicious server with SSH agent forwarding enabled.

programmarchy|11 months ago

Okay, that makes sense. I thought they could just log in to a dummy site, not that it was proxying requests through to a real site. Yikes.

vlovich123|11 months ago

The attacker has access to whatever the passkey was protecting. It's like asking who cares about password phishing. And FWIW a crypto portal in front of something like Coinbase can obviously do a lot of damage since most people do not keep their crypto in their own personal cold storage.

chc4|11 months ago

The attacker controlled proxy is the one that logged in, and so captured a valid session for the user account that they can use afaik