Version 0.1 December 17th 2024
Messaging apps are increasingly vulnerable to phishing attacks, particularly through QR-based cross-device session sharing, which has become a target for sophisticated phishing techniques. In this whitepaper, we provide detailed diagrams and code samples to demonstrate how passkeys can effectively prevent these attacks.
Yuriy Ackermann is a seasoned security and authentication specialist with extensive expertise in standards architecture, penetration testing, and large-scale project management. As a former Technical Manager at the FIDO Alliance, Yuriy contributed significantly to the development of FIDO2, WebAuthn, and other industry-leading authentication standards. He has been instrumental in creating certification programs, conducting workshops worldwide, and shaping the global adoption of secure authentication technologies. An accomplished writer and speaker, Yuriy is the creator of a popular FIDO/passkeys blog. His passion for pushing the boundaries of technology is matched by his dedication to user-centric design and practical implementations in cybersecurity.
Modern messaging apps offer users multiple ways to access their services. While mobile apps remain the primary platform for most users, many seek more versatile options, such as tablet apps on Android or iPadOS. Others prefer the convenience of desktop apps on Windows, macOS, or Linux, or may simply want to open a quick session in their web browser.
However, the current methods for cross-device session sharing are inherently insecure and vulnerable to phishing attacks.
The past two years have seen a sharp rise in attacks targeting cross-device session sharing, driven by the increasing user shift to siloed hybrid social platforms like Telegram, WhatsApp, WeChat, and Discord. Messaging apps are no longer used solely for P2P communication; they now function as social media hubs. Telegram, in particular, stands out for hosting a wide array of independent news channels, bloggers, and social service accounts, especially in regions like Ukraine and Russia.
This evolving usage, coupled with the harsh realities of the war in Ukraine and the prevalence of disinformation campaigns, has significantly increased the value of chat user accounts. People use these platforms daily to connect with friends, access news, participate in discussions, and engage with social services. This makes messaging apps prime targets for a wide spectrum of attackers—from cybercriminals focused on identity theft to state-sponsored hacker groups conducting espionage. As a result, the threat landscape for messaging apps is more dangerous than ever before.
An attacker’s potential gains extend far beyond sending messages on your behalf. They can often access your entire message history, extract sensitive documents such as passports or IDs (a common global practice), and send messages without your knowledge. Additionally, attackers can manipulate communications by deleting sent messages to cover their tracks, making the breach even more insidious.
These attacks are well known, and is being abused for the last decade, as described in 2018 paper by Ryan Heartfield and George Loukas from Cambridge University. These attacks have been raising in volume across the globe in the last 24 months, with evidence of them in Russia, Ukraine, Singapore, Iran, China, US, etc.
However nothing is lost, and recent development in passkey ecosystem means that we are ready to fight back, and kill messenger phishing, once and for all, hence this paper existing in the first place.