Erik van Straten@chazh :
1️⃣ Close Safari and change the setting (top left screenshot) *OR* remove all fingerprints (I've not tested Face ID, but would be surprised if such devices would NOT be vulnerable)
2️⃣ Open Safari, open https://icloud.com (or https://account.apple.com), tap Sign in, then tap (x) as shown in the top right screenshot
3️⃣ Tap in the field "Email or Phone number" to invoke WebAuthn "Conditional UI"
4️⃣ In the pop up, tap the "Use Passkey" button
Tadaa…
This does not work in ALL websites (and Chrome blocks this vuln).
Note that ALL passWORDS in iCloud KeyChain, regardless of website, can be used without local auth. Maybe something to consider when you let your kid play games or lend your iPhone to a stranger because "their car broke" and their "phone's battery is empty".
WSJ's Joanna Stern: https://youtube.com/watch?v=QUYODQB_2wQ (follow-up: https://youtube.com/watch?v=tCfb9Wizq9Q)
Fix (and, and)
🔹 Use whatever extruding part of your body to set "Touch ID", whether you use it or not
🔹 Enable "Password Autofill"
Optionally disable "iPhone Unlock".
In addition you may want to follow Joanna's advice: block making risky changes by enabling Screentime.
@cendyne @soatok @rmondello (I told him before)
