Cybersecurity firm SquareX has demonstrated that browser-based attacks can undermine the integrity of passkeys. According to the research team, malicious extensions or injected scripts are capable of manipulating the passkey setup and login process. By hijacking this step, attackers can trick users into registering credentials controlled by the attacker, undermining the entire security model. SquareX argues that this development challenges the belief that passkeys cannot be stolen, calling the finding an important “wake-up call” for the security community.
The proof-of-concept exploit works by taking advantage of the fact that browsers act as the intermediary during passkey creation and authentication. Both the user’s device and the online service must rely on the browser to transmit authentication requests accurately. If the browser environment is compromised, attackers can intercept WebAuthn calls and replace them with their own code. SquareX researchers demonstrated how a seemingly harmless extension could activate during a passkey registration process, generate a new attacker-controlled key pair, and secretly send a copy of the private key to an external server. Although the private key remains on the victim’s device, the duplicate allows the attacker to authenticate into the victim’s accounts elsewhere.
This type of attack could also be refined to sabotage existing passkeys and force users into creating new ones, which are then stolen during setup. SquareX co-founder Vivek Ramachandran explained that although enterprises are adopting passkeys at scale, many organizations lack a full understanding of how the underlying mechanisms work. He emphasized that even the FIDO Alliance, which develops authentication standards, acknowledges that passkeys require a trusted environment to remain secure. Without ensuring that browsers are part of that trusted environment, enterprise users may remain vulnerable to identity-based attacks.
The finding highlights a larger issue with browser extensions, which remain one of the least regulated parts of the internet ecosystem. Security professionals have long warned that extensions can be malicious from the outset or hijacked after installation, providing attackers with direct access to sensitive browser activity. Because an overwhelming majority of users rely on add-ons in Chrome, Edge, and other browsers, the potential for exploitation is significant.
SquareX’s warning comes at a time when passkey adoption is accelerating rapidly, with estimates suggesting more than 15 billion passkeys are already in use worldwide. The company stresses that despite their benefits, passkeys are not immune to the same types of threats that have plagued passwords and authentication codes for decades. As the technology matures, both enterprises and individual users are urged to remain cautious, limit browser extensions to trusted sources, and review installed add-ons regularly to minimize exposure.
