WebAuthn Vulnerabilities: Browser Weaknesses Allow Hackers to Obtain Credentials
23pds, the Chief Information Security Officer at SlowMist Technology, has alerted the public to potential security gaps in WebAuthn key login mechanisms, drawing attention to innovative attack vectors that may undermine authentication standards title2 [ 2 ]. According to the expert, hackers might use malicious browser add-ons or take advantage of cross-site scripting (XSS) flaws on web pages to gain control over the WebAuthn API. This kind of exploit could enable attackers to force a fallback to password logins or tamper with the process of registering authentication keys, resulting in stolen credentials without needing direct device access or biometric checks such as Face ID title2 [ 2 ]. The danger is especially high for individuals who depend on key-based logins on sites vulnerable to unpatched security flaws or who have compromised browser extensions, as this could result in account takeovers or identity theft title2 [ 2 ].
A major security issue, tracked as CVE-2025-6433, has been found in Firefox versions earlier than 140. In these versions, if a user accepts exceptions for invalid TLS certificates, the browser can prompt them to finish WebAuthn challenges title1 [ 1 ]. This behavior bypasses the WebAuthn protocol’s mandate for secure connections during authentication, creating an opening for attackers to exploit certificate checking weaknesses title1 [ 1 ]. With a "Critical" rating and a CVSS score of 9.8, this vulnerability puts systems at risk of compromise or data exposure. Both Firefox and Thunderbird releases before version 140 are impacted title3 [ 3 ]. The attack method involves user interaction—when someone visits a malicious site with an invalid TLS certificate and allows an exception, the attacker can trigger a WebAuthn prompt, thereby circumventing standard security measures title3 [ 3 ].
Experts from SquareX, a company specializing in enterprise browser security, have also shown how login systems using passkeys and WebAuthn can be manipulated when browsers are compromised title4 [ 4 ]. Their demonstration involves injecting harmful JavaScript code to simulate the processes of WebAuthn registration and authentication. If users are tricked into installing a rogue browser extension or if an attacker exploits XSS on a targeted site, it is possible to re-initiate passkey registration or force users to switch back to password-based logins. This approach sidesteps the intended cryptographic protection of passkeys, which are meant to prevent phishing title4 [ 4 ]. Rather than attacking the cryptographic core of passkeys, this threat takes advantage of flaws in how browsers implement WebAuthn APIs title4 [ 4 ].
These security findings highlight the urgent need for comprehensive defensive measures. Users should make sure their browser extensions are trustworthy and avoid accepting exceptions for invalid TLS certificates title1 [ 1 ]. Companies are encouraged to upgrade to Firefox and Thunderbird version 140 or above to mitigate the CVE-2025-6433 risk title1 [ 1 ]. Developers must thoroughly check for certificate errors and follow secure coding standards to prevent XSS exploits that could enable WebAuthn hijacking title4 [ 4 ].
WebAuthn, which is a collaborative initiative between the W3C and the FIDO Alliance, is intended to replace standard passwords with public key cryptography title2 [ 2 ]. Nonetheless, the recent discoveries make it clear that its effectiveness relies on both correct integration and the absence of software or browser vulnerabilities. Experts point out that although WebAuthn offers stronger protection against phishing than password-based multi-factor authentication, its rollout has been gradual title5 [ 5 ]. The newly disclosed vulnerabilities reinforce the necessity for ongoing monitoring and timely security updates to uphold the reliability of passwordless authentication title5 [ 5 ].
