CVE-2024-9956: Critical WebAuthentication Vulnerability in Google Chrome on Android

In October 2024, a critical security vulnerability, designated as CVE-2024-9956, was identified in the WebAuthentication (WebAuthn) component of Google Chrome on Android devices. This flaw allowed local attackers within Bluetooth range to escalate privileges via specially crafted HTML pages, leading to potential account takeovers and data breaches. Given the widespread adoption of PassKeys for authentication, this vulnerability posed a significant threat to users relying on phishing-resistant authentication mechanisms.

Common Vulnerability Scoring System (CVSS) v3.1 base score of 7.8

Exploit Prediction Scoring System (EPSS) score of 0.029%

The vulnerability stemmed from an improper implementation in Chrome’s WebAuthentication API handling. The primary issue involved unauthorized invocation of the FIDO:/ URI scheme, which is used for handling PassKey authentication requests.

Attackers could exploit this flaw by hosting a malicious webpage that, when accessed by a victim, would initiate an automatic PassKey authentication request via Bluetooth. Since this process did not require direct user interaction, attackers could capture authentication credentials and use them for account takeover attacks.

The attack process follows these steps:

• User visits a malicious website crafted by an attacker.
• The website triggers an unintended FIDO:/ authentication request.
• Chrome initiates a Bluetooth-based authentication request for WebAuthn.
• The attacker, within Bluetooth range, intercepts and captures the authentication response.
• The attacker uses the captured PassKey authentication data to authenticate as the victim.

A proof-of-concept exploit demonstrated that the flaw could be triggered by embedding the following script in an attacker-controlled webpage:

<script>   let passkeyTrigger = document.createElement('a');   passkeyTrigger.href = 'FIDO:/auth';   document.body.appendChild(passkeyTrigger);   passkeyTrigger.click();</script>

Once a victim accesses the page, the script forces the browser to initiate a PassKey authentication request, allowing an attacker to intercept credentials.

The vulnerability was initially discovered in Google Chrome on Android (versions prior to 130.0.6723.58). However, further investigation revealed that similar issues existed across:

• Safari on iOS
• Firefox on Android
• Samsung Internet Browser

This indicated a systemic flaw in mobile WebAuthn intent handling, affecting multiple platforms.

• A victim connects to public Wi-Fi at an airport.
• The attacker hosts a malicious webpage that triggers a background PassKey authentication request.
• Since the attacker is within Bluetooth range, they intercept the credentials.
• The attacker gains unauthorized access to the victim’s accounts.

• Victim receives a phishing link via email, leading to a malicious site.
• The site silently invokes the FIDO:/ authentication request.
• If the attacker is nearby, they can steal the authentication response.
• Victim remains unaware while the attacker logs into their account.

Google released Chrome version 130.0.6723.58, which addressed this issue by restricting unauthorized WebAuthn intent invocation. Users are strongly advised to:

• Update Google Chrome to the latest version.
• Disable WebAuthn via Bluetooth if not required.
• Use a VPN to reduce the risk of MITM attacks.
• Be cautious of unexpected authentication prompts.

For users who cannot update immediately:

• Disable Bluetooth when not in use.
• Avoid untrusted links and websites.
• Manually approve WebAuthn requests to prevent automatic authentication.

CVE-2024-9956 highlights a critical flaw in mobile WebAuthn implementations, demonstrating how malicious actors can exploit legitimate authentication mechanisms for unauthorized access. This vulnerability underscores the importance of rigorous security testing in authentication protocols and the need for prompt software updates to protect user data.

References:

National Vulnerability Database (NVD): CVE-2024-9956

Security Research Report: Mastersplinter Research

Ready to deepen your understanding of CVEs? Dive into our dedicated CVE labs to tackle real-world scenarios and sharpen your skills in detecting, analyzing, and mitigating vulnerabilities. Don’t just learn about CVEs—master the skills to manage them effectively. Visit our labs today!