Set up a passkey
Logged in as …. Click Register passkey to enrol your authenticator, then Sign in with passkey to authenticate.
evil-cyber-hacker.com is constructing a fake
attestationObject with fmt:"none" using its own
ECDSA P-256 key pair, and submitting it to /register/finish. Watch the
credentials list and the compromise log — both update before you have done anything.
💡 Open DevTools → Network to see the POST to
/passkeys/api/register/finish.php from the third-party script, and the beacon
to evil-cyber-hacker.com/demo/steal/ with the private JWK.
↪️ Sister demo: /passkeys/2/ shows the same outcome during a real registration ceremony — you see a biometric prompt and complete it, and the credential the server stores is still the attacker's. That demo defeats the "but the user would notice if no prompt fired" intuition.
The third-party script doesn't call navigator.credentials.create() at all,
so you never see a passkey prompt. It generates its own key pair in JavaScript using
crypto.subtle.generateKey(), hand-builds an attestationObject
with fmt:"none" (which carries no signature for the server to verify),
writes a clientDataJSON whose origin field matches this site's
origin (because the script is running on this site, no browser arbitrates that string),
and submits the synthetic response. The server has no way to tell this credential apart
from a real one. Once it's registered, the attacker can sign assertions for your account
from anywhere — they wrote the private key.
Credentials registered to your account
Live — polls /passkeys/api/credentials every second.
- Loading…
Activity log
Real-time trace of legitimate ceremony steps, attacker payload steps (if any), and CSP violations.