SquareX to unveil browser, passkey flaws at Black Hat, DEF CON

Techday NZ

14 hours ago

SquareX researchers are set to present a series of vulnerability disclosures relating to browser security at two major security events in August.
During Black Hat USA and DEF CON 33, SquareX will reveal a number of architectural vulnerabilities impacting passkey authentication systems, enterprise data loss prevention solutions, and browser extensions. The company's researchers plan to deliver multiple talks that aim to detail new techniques attackers may use to circumvent existing security measures.
Browser-first world
At Black Hat USA, the presentation titled "Browser-Native Security in a Browser First World" will be delivered by Vivek Ramachandran, Founder of SquareX. This talk is expected to cover the growing dependency enterprises have on web browsers and the resulting security challenges.
With staff reportedly spending up to 80% of their device usage time within browsers, defending against browser-based threats has become a critical concern. Ramachandran's talk will highlight current tactics, techniques, and procedures (TTPs) that enable attackers to bypass technologies such as Secure Access Service Edge (SASE), endpoint detection and response (EDR), and endpoint data loss prevention (DLP) tools.
Passkey vulnerabilities
DEF CON 33 will feature Shourya Pratap Singh, Jonathan Lin and Daniel Seetoh presenting research under the session title "Passkeys Pwned: Turning WebAuthn Against Itself." This discussion will focus on a new technique designed to subvert passkey authentication.
Passkeys, which have seen significant uptake among major technology providers such as Apple, Google, and Microsoft, are promoted as a more secure alternative to traditional passwords. Despite this positioning, SquareX's research asserts that vulnerabilities still exist. "Over the past year, we have been releasing bleeding edge research on architectural browser vulnerabilities as part of the Year of Browser Bugs project. We believe that deeply understanding the attacker mindset is the only way to defend against the newest threat vectors, and we believe that it is critical to share these findings at industry leading conferences like Black Hat and DEF CON. This year's research demonstrates critical gaps that traditional security solutions simply cannot address - everything from passkey to browser extension vulnerabilities. We will also be sharing multiple open source browser-native security tools that enterprises need to plug the browser security gap," said Vivek Ramachandran, Founder of SquareX.
Browser extension threats
In addition to the mainstage talks, Nishant Sharma and Shourya Pratap Singh will present "Plug and Prey: Scanning and Scoring Browser Extensions" at Recon Village. Their session introduces ExtHuntr, an open-source tool developed to scan for installed browser extensions, analyse their permissions and behaviour, and generate risk scores. ExtHuntr aims to provide security teams with greater visibility into potential risks posed by browser extensions.
SquareX will also run a demonstration called "Copycat: Identity Stealer Extension" and a session titled "Angry Magpie: DLP Bypass Simulator" at DEF CON 33 Demo Labs, underscoring the firm's focus on practical, real-world attack simulation tools related to browser security.
Cloud security workshop
Nishant Sharma, Head of Security Research at SquareX, is scheduled to conduct a workshop at Cloud Village, titled "Serverless but Not Defenceless: A Security Deep Dive into Cloud Run." The workshop will provide attendees with detailed guidance on how to deploy and manage services on Google Cloud Run securely, using principles drawn from DevSecOps and related practices.
Security field manual
Audrey Adeline, a SquareX researcher, will participate in "The Trailblazer's Guide to Cybersecurity" discussion at Black Hat USA. Topics will include the experiences of professionals who are first-generation entrants to the cybersecurity sector. Adeline will also share information about the release of The Browser Security Field Manual, a book written in collaboration with chief information security officers (CISOs) from Fortune 500 companies and major technology firms. The manual addresses contemporary attacks targeting employees via browsers and provides guidance on defensive techniques.
Event schedule
In addition to the headline talks, SquareX researchers will lead several demonstration sessions and workshops at both Black Hat USA and DEF CON 33. These include practical labs showing browser-based identity theft and DLP bypass scenarios, as well as further engagements focusing on serverless security and browser-native security tools.
The presentations are designed to highlight what SquareX claims are critical gaps in existing security technology, particularly where traditional solutions may not adequately address emerging attack vectors related to browsers, passkeys, and extensions.