
Mar 26, 2025
CVE-2024-9956: Critical WebAuthentication Vulnerability in Google Chrome on Android
Discover CVE-2024-9956, a critical Chrome flaw on Android allowing Bluetooth-based PassKey theft, and learn key mitigation strategies.
In October 2024, a critical security vulnerability, designated as CVE-2024-9956, was identified in the WebAuthentication (WebAuthn) component of Google Chrome on Android devices. This flaw allowed local attackers within Bluetooth range to escalate privileges via specially crafted HTML pages, leading to potential account takeovers and data breaches. Given the widespread adoption of PassKeys for authentication, this vulnerability posed a significant threat to users relying on phishing-resistant authentication mechanisms.
Common Vulnerability Scoring System (CVSS) v3.1 base score of 7.8
Exploit Prediction Scoring System (EPSS) score of 0.029%
The vulnerability stemmed from an improper implementation in Chrome’s WebAuthentication API handling. The primary issue involved unauthorized invocation of the FIDO:/ URI scheme, which is used for handling PassKey authentication requests.
Attackers could exploit this flaw by hosting a malicious webpage that, when accessed by a victim, would initiate an automatic PassKey authentication request via Bluetooth. Since this process did not require direct user interaction, attackers could capture authentication credentials and use them for account takeover attacks.
The attack process follows these steps:
- User visits a malicious website crafted by an attacker.
- The website triggers an unintended FIDO:/ authentication request.
- Chrome initiates a Bluetooth-based authentication request for WebAuthn.
- The attacker, within Bluetooth range, intercepts and captures the authentication response.
- The attacker uses the captured PassKey authentication data to authenticate as the victim.
A proof-of-concept exploit demonstrated that the flaw could be triggered by embedding the following script in an attacker-controlled webpage:
<script> let passkeyTrigger = document.createElement('a'); passkeyTrigger.href = 'FIDO:/auth'; document.body.appendChild(passkeyTrigger); passkeyTrigger.click();</script>
Once a victim accesses the page, the script forces the browser to initiate a PassKey authentication request, allowing an attacker to intercept credentials.
The vulnerability was initially discovered in Google Chrome on Android (versions prior to 130.0.6723.58). However, further investigation revealed that similar issues existed across:
- Safari on iOS
- Firefox on Android
- Samsung Internet Browser
This indicated a systemic flaw in mobile WebAuthn intent handling, affecting multiple platforms.
- A victim connects to public Wi-Fi at an airport.
- The attacker hosts a malicious webpage that triggers a background PassKey authentication request.
- Since the attacker is within Bluetooth range, they intercept the credentials.
- The attacker gains unauthorized access to the victim’s accounts.
- Victim receives a phishing link via email, leading to a malicious site.
- The site silently invokes the FIDO:/ authentication request.
- If the attacker is nearby, they can steal the authentication response.
- Victim remains unaware while the attacker logs into their account.
Google released Chrome version 130.0.6723.58, which addressed this issue by restricting unauthorized WebAuthn intent invocation. Users are strongly advised to:
- Update Google Chrome to the latest version.
- Disable WebAuthn via Bluetooth if not required.
- Use a VPN to reduce the risk of MITM attacks.
- Be cautious of unexpected authentication prompts.
For users who cannot update immediately:
- Disable Bluetooth when not in use.
- Avoid untrusted links and websites.
- Manually approve WebAuthn requests to prevent automatic authentication.
CVE-2024-9956 highlights a critical flaw in mobile WebAuthn implementations, demonstrating how malicious actors can exploit legitimate authentication mechanisms for unauthorized access. This vulnerability underscores the importance of rigorous security testing in authentication protocols and the need for prompt software updates to protect user data.
References:
National Vulnerability Database (NVD): CVE-2024-9956
Security Research Report: Mastersplinter Research
Ready to deepen your understanding of CVEs? Dive into our dedicated CVE labs to tackle real-world scenarios and sharpen your skills in detecting, analyzing, and mitigating vulnerabilities. Don’t just learn about CVEs—master the skills to manage them effectively. Visit our labs today!
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec

Research & Tutorials
CVE-2024-39914 – Unauthenticated Command Injection in FOG Project’s export.php
Discover details about CVE-2024-39914, a critical unauthenticated command injection vulnerability in FOG Project ≤ 1.5.10.34. Learn how attackers can exploit export.php to execute system commands or deploy persistent webshells.
Jun 26, 2025
2 min read

OffSec News
What It Really Means to “Try Harder”
Discover how OffSec’s “Try Harder” mantra evolved into a mindset, and how it helps learners build grit, creativity, and real-world problem-solving skills.
Jun 23, 2025
7 min read

Research & Tutorials
CVE-2025-3248 – Unauthenticated Remote Code Execution in Langflow via Insecure Python exec Usage
CVE-2025-3248 is a critical RCE vulnerability in Langflow that allows unauthenticated attackers to execute arbitrary Python code via unsanitized input to exec(). Learn how it works and how to protect your system.
Jun 18, 2025
2 min read