[programmarchy]

I’m missing something. If WebAuthn is “ssh for the web” then why would it matter if Bob was phished and logged into the fake crypto portal running on the raspberry pi? It’s not like the attacker now knows his private key. Is the danger that Bob also would share his crypto wallet keys with the fake site or something?

[lxgr]

By the analogy of SSH, this vulnerability is more of an exposed/incorrectly permissioned SSH agent Unix domain socket than a private key compromise.

Whether that's catastrophic or not will vary case by case and depends on what exactly you're securing with the key.

[garaetjjte]

Attacker is now logged in on the real crypto portal as Bob. SSH equivalent would be like connecting to malicious server with SSH agent forwarding enabled.

[programmarchy]

Okay, that makes sense. I thought they could just log in to a dummy site, not that it was proxying requests through to a real site. Yikes.

[reportgunner]

I suppose you can completely skip dummy sites when phishing for passkeys since the user doesn't know the password and therefore you don't need him to enter said password anywhere (which is why you needed a dummy site in the first place).

[vlovich123]

The attacker has access to whatever the passkey was protecting. It's like asking who cares about password phishing. And FWIW a crypto portal in front of something like Coinbase can obviously do a lot of damage since most people do not keep their crypto in their own personal cold storage.

[chc4]

The attacker controlled proxy is the one that logged in, and so captured a valid session for the user account that they can use afaik