A critical vulnerability has been identified in Firefox for iOS which allows a nearby attacker to intercept and hijack passkey authentication processes. By tricking a user into visiting a malicious webpage, an attacker within Bluetooth range can gain unauthorized access to the user's accounts, leading to potential account takeover, data breaches, and compromise of sensitive corporate systems.

This vulnerability allows for a passkey authentication relay attack. An attacker can craft a malicious webpage that, when visited by a user on Firefox for iOS, uses a specially formed fido:// link to improperly interact with the operating system's passkey functionality. This triggers the hybrid passkey transport mechanism over Bluetooth Low Energy (BLE). An attacker within Bluetooth range can then present their own device to intercept the authentication request. The user, seeing a legitimate-looking prompt on their iPhone, may approve the sign-in, inadvertently granting the attacker access to their account on the attacker's machine. The core issue is Firefox for iOS's failure to properly validate the origin of the FIDO request before passing it to the OS for processing.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of user accounts that rely on passkey authentication, including access to corporate email, cloud platforms, financial systems, and other critical business applications. The direct business impact includes the high risk of data breaches, intellectual property theft, financial fraud, and significant reputational damage. As passkeys are adopted for privileged access, this vulnerability could also serve as an entry point for a wider network compromise.

Immediate Action: Update Mozilla Firefox for iOS to the latest version. For enterprise environments, use Mobile Device Management (MDM) or Unified Endpoint Management (UEM) solutions to enforce the update across all managed devices. Monitor for exploitation attempts and review access logs for anomalous authentication patterns.

Proactive Monitoring: Security teams should monitor Identity and Access Management (IAM) and single sign-on (SSO) logs for unusual passkey authentication events. Look for logins from unexpected geographic locations, IP ranges, or device types that occur immediately after a successful authentication. Correlate these events with user-reported suspicious activity.

Compensating Controls: If immediate patching is not feasible, consider the following controls:

• Instruct users to temporarily use an alternative web browser (e.g., Safari) for accessing sensitive applications.
• Advise users to disable Bluetooth on their iOS devices when in untrusted public environments.
• Implement conditional access policies that block logins from outdated versions of the Firefox for iOS browser.
• Increase user awareness through security bulletins, warning them to be highly suspicious of unexpected passkey prompts.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability poses a severe and immediate risk to the organization through account takeover. Despite the lack of known active exploitation, the low complexity of the attack and the high potential impact demand urgent action. We strongly recommend that all instances of Firefox for iOS on corporate and BYOD devices be updated to the latest patched version immediately. Organizations should treat this as a top-priority patching directive and verify compliance across their entire device fleet.