Breaking the Passkey Promise: SquareX Discloses Major Passkey Vulnerability at DEF CON 33

SquareX disclosed a passkey vulnerability at DEF CON showing that relatively simple malicious browser scripts and extensions can intercept and fake passkey registration and authentication flows, allowing attackers to access accounts (including banking and enterprise SaaS) without the user's device or biometrics; the report warns that EDR and network controls lack visibility into browser-native attacks and urges adoption of Browser Detection and Response (BDR).