Password-editing attacks undermine GitHub and Microsoft authentication

While online accounts are increasingly protected by passkey technologyIt turns out that many banking, e-commerce, social media, website domain name management, software development platforms, cloud accounts, and more can still be compromised through adversary-in-the-middle (AitM) attacks that render passkeys useless.

This is the view of Joe Stewart, senior security researcher at eSentire’s Threat Response Unit (TRU). He says the problem is not with the passkeys themselves, but with their implementation and the need for account recovery options.

Many websites offer less secure backup authentication methods in case a user has a problem with their passkey or a lost device, so that accounts are not rendered irretrievable. Attackers can exploit this by simply inserting themselves between the user and the website, as they did in every AitM scenarioand then manipulate the appearance of the login screen so that the user is not shown the passkey option at all.

“Since the AitM can manipulate the view presented to the user through HTML changes, CSSand images or JavaScript on the login page, as it is passed to the end user, they can control the authentication flow and remove all references to passkey authentication,” Stewart explained in a blog entry about his findings, which he called “editorial attacks on authentication methods.”

This strategy allows them to force a target to switch to a less secure alternative that can be intercepted by the lurking adversary. And it’s a discovery that “blows a hole in the security debate around passkeys,” Stewart tells Dark Reading.

“We looked into this and found that some, if not all, of the available passkey authentication mechanisms have the same problem: They offer passkeys as one of many options and attackers can simply remove that option. Then they’re left with the less secure methods, which opens the door for them to take over accounts,” he says.

GitHub and Microsoft Passkey implementations vulnerable to attacks

In a proof-of-concept (PoC) example of this attack flow, Stewart was able to use the open source Evilginx AitM software to proxy and modify a real GitHub login page, removing the “Log in with a passkey” text from the page so the user could not see it and instead offering the option to select a different login method.

“Unless the user specifically remembers that a passkey option should be presented, they will most likely simply enter their username and password, which will be sent to the attacker along with the authentication token/cookies that allow the attacker to maintain permanent access to the account,” says Stewart.

In another scenario where a passkey is used as a second authentication factor, Stewart noted that it is again trivial to rewrite the page’s HTML to remove the second passkey authentication method entirely. Or, he explained in the findings, an attacker could “use injected JavaScript to click on one of the alternative methods and automatically jump forward in the authentication flow, so the user isn’t even aware there was a choice.”

As he wrote in the post, “Since other two-factor methods, such as an authenticator app or recovery code, are not AitM-resistant, the attacker will again be able to steal all the credentials and tokens/cookies needed to access the account.”

In a third scenario, involving a personal Microsoft account, the passkey sign-in option can actually be hidden as well. However, Microsoft has introduced a new “passwordless” option that could theoretically prevent this type of attack. The bad news? It can’t prevent passkey redaction because the passwordless account option requires the use of the Microsoft Authenticator application as the only method of identity verification. a data flow that is still vulnerable to AitM attacksexplains Stewart.

As mentioned, GitHub and Microsoft are not alone; most major retailers and cloud app providers have the same problem.

Not a weak point, but a sad reality

Stewart emphasizes that attacks on authentication redaction are successful not because of errors in passkey implementation or security vulnerabilities, but because authentication in general is not yet mature.

For one, Most users are not yet familiar enough with passkeys and don’t know how to detect if a page has been compromised; second, implementers may not know how AitM can change the login view. And the fact remains that offering account recovery options is a must; passkeys are stored on hardware devices, so if the device is lost, there must be another way to access the account. Unfortunately, these backups are almost always vulnerable to AitM.

“If account recovery were not necessary, an AitM-resistant passkey authentication flow could be fairly straightforward, doing away with passwords in favor of passkeys altogether,” Stewart wrote in the post. “Unfortunately, we live in the real world and passkeys are inevitably lost when the device is lost or reset. As a partial solution, passkeys can be managed by a password manager, which provides greater resilience against loss, but the trade-off is that the security of the password manager vault itself now depends, at best, on a master password and a second secret code.”

When his team contacted some of the affected vendors, they were actually grateful for the information, he says – but there remains some anger about how difficult it is to improve authentication methods in the consumer space. At the moment, it feels like their hands are tied.

“Everyone always thinks: we know that this person is going to get locked out at some point, that they’re going to lose their security key, and so we need to provide all these backup authentication methods, and unfortunately that plays into the hands of the people who are running the phishing kits,” he says. “There’s a feeling that consumers don’t really understand passkeys.”

But that’s not to say there aren’t better implementations, which Stewart said he’s keen to promote – especially when it comes to account recovery magic links, which are “probably the safest method,” Stewart said. “Magic links” are sent to an email account and take the user to a new login window to log in.

“If you click on a link that was sent to you via email and a completely new window opens, that’s a direct link from you to the real site; you bypass the phishing window and get out of that hijacked session,” he says. “And then you can go through the process of secure authentication with a passkey if it was redacted in a compromised session.”

The only caveat is that this method is only as secure as an email inbox or the SMS network, which are also common targets of attackers. For this reason, Stewart recommends employing additional layers of security, such as ensuring that the links are auto-generated one-time links with short timeouts and that logins are only allowed from previously authenticated IP addresses.

It is also possible to implement “Ward Links,” which are like magic links but also require security questions or the entry of a backup code to use, says Stewart.

On a positive note, some of the vendors the team spoke with are open to considering such new approaches to defending against AiTM attacks, he adds.

How companies can prevent threats caused by password blacking

Beyond the obvious (using hardware-based keys and requiring replacement passwords to be complex and unique for each site), security teams within organizations have some options to strengthen defenses against forced authentication downgrades, Stewart notes, including using the Magic and Ward links mentioned earlier.

For example, Microsoft’s Entra ID (formerly known as Azure AD) and Intune products allow administrators to configure conditional access policies that can prevent successful proxy logins. For example, only “domain-joined, policy-compliant, managed devices” can be forced to sign in to devices.

“If you verify that you’re on a computer that’s joined to a domain and you can’t log into any of those services without having the appropriate permissions, it’s much harder for someone to just steal the credentials and run with them,” Stewart explains.

In addition, many enterprise identity and access management (IAM) solutions allow administrators to define the login and account recovery flow for the organization, groups or individual users. “So it may be possible to define a secure, passwordless login flow using passkeys that is not vulnerable to attacks by redacting the authentication method,” says Stewart, citing the open source IAM software Keycloak as one platform with this capability.

In general, security teams should assume that every login session has been compromised by AitM and ensure that any attempt to override the authentication method from passkeys requires the existing session to be “broken out” before proceeding.

Finally, “Encourage or require users to add multiple passkeys so that losing one key does not block access to the account or require resorting to less secure authentication methods,” Stewart advises in his blog post.

Don’t miss the latest Dark Reading Confidential Podcastwhere we talk to two ransomware negotiators about how they interact with cybercriminals, including how they brokered a deal to restore operations to a hospital’s neonatal intensive care unit where lives were at stake, and how they helped a church where the attackers themselves “found a little religion.” Listen now!