It’s wise to maintain skepticism about bold cybersecurity claims—especially when they’re wrapped in marketing language meant to generate fear and sell a product.
The latest example of overhyped, misleading security “research” comes from a report released by SquareX, a startup promoting tools for securing browsers and client-side applications. In its newly published findings, the company asserts—without credible evidence—that it has uncovered a “major passkey vulnerability” capable of undermining the security foundations relied on by Apple, Google, Microsoft, and thousands of organizations adopting passkey authentication.
A closer look at the supposed breakthrough
The attack scenario, dubbed “Passkeys Pwned,” was first presented earlier this month during a Defcon session. The method hinges entirely on a malicious browser extension that the victim must have already installed through a prior social engineering scheme. Once present, the extension interferes with the creation of a new passkey for services such as Gmail or Microsoft 365.
While appearing legitimate, the compromised extension silently generates its own keypair and links it to the genuine gmail.com domain. Because the attacker—not the user—controls the keypair, the adversary gains access to cloud-based applications that organizations depend on for critical business operations.
In a draft of the research shared ahead of publication, SquareX argued that its findings “disprove the myth that passkeys cannot be stolen” and show that “passkey theft is as trivial as traditional credential theft.” The company frames its work as a warning that passkeys are still relatively new and have not yet undergone decades of rigorous security testing.