Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Okay, that makes sense. I thought they could just log in to a dummy site, not that it was proxying requests through to a real site. Yikes.


I suppose you can completely skip dummy sites when phishing for passkeys since the user doesn't know the password and therefore you don't need him to enter said password anywhere (which is why you needed a dummy site in the first place).




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: