[Webkit-unassigned] [Bug 270553] WebAuthn excludeCredentials option stopped preventing duplicate passkey registration
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Mar 26 00:21:49 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=270553
--- Comment #3 from arian.vanputten at gmail.com ---
Note that this bug makes it extremely easy to lock yourself out of your accounts.
I just lost access to my GitHub account due to this. (Until I find my recovery codes)
Steps to reproduce:
1. Add passkey to GitHub Account
2. Sign in with Passkey
3. Add another passkey to Github Account
(GitHub sets excludeCredentials so that Safari shouldn't create another passkey)
4. Safari ignores excludeCredentials, throws away the old passkey and creates a new one
5. Github UI now shows two passkeys.
6. Delete one of the two passkeys (In this case I deleted the newest one)
7. Log out
8. Try to sign in with passkey. GitHub complains that the passkey is not known
9. Be completely locked out of your account
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240326/4018dfd0/attachment.htm>
More information about the webkit-unassigned
mailing list