TL;DR;

I found a bypass for the recently fixed vulnerability, CVE-2024-9956, in Mobile Safari. The original fix blocks FIDO:/ URIs from being navigable. I was able to bypass it with a specifically crafted deep link to the Shortcuts app that leverages the x-cancel and x-error query parameters to open arbitrary URLs when the shortcut isn’t successful. Apple fixed it due to my report on 29 July 2025.

CVE-2024-9956 (February 2025)

All major mobile browsers were found to be vulnerable, allowing FIDO:/ intents to be triggered by a page. As a result a nearby attacker who lures a victim to their site and gets them to accept a passkey prompt can hijack the victim’s app session. See the original blog post for more details.

How CVE-2024-9956 got fixed

All fixes involved blocklisting such URIs to prevent navigation.

Blocklisting is a weak Security Control

Blocklisting is often ineffective as a sole security measure because it only addresses known threats, leaving systems vulnerable to new or unknown attacks. It requires constant maintenance and can create a false sense of security, leading people to overlook other critical defenses. A better approach is to fix the root cause.

Bypass CVE-2024-9956

I found a bypass for the blocklist countermeasure for CVE-2024-9956 in Mobile Safari. The original fix blocks FIDO:/ URIs from being navigable. However, I discovered a method that allows an attacker to circumvent this restriction and trigger FIDO:/ intents from attacker-controlled webpages or by simply sending a specifically crafted link to a victim. This bypass enables phishing of FIDO credentials if the physical-presence check can be successfully completed.

The bypass leverages the Shortcuts app, which is installed by default. A specifically crafted deep link to the Shortcuts app uses the x-cancel and x-error query parameters. These parameters specify a URL that is opened when the interaction is canceled by the user or fails (see here). Setting these query parameters to a valid FIDO:/ URL will trigger the intent. This is not blocked and circumvents the current countermeasure for CVE-2024-9956. For example: shortcuts://x-callback-url/run-shortcut?name=DOESNOTEXIST&x-cancel=FIDO://12345&x-error=FIDO://12345

Bypass explained step by step

Here is a list of detailed steps:

  1. The attacker initiates a hybrid (caBLE) FIDO authentication and generates a FIDO intent (FIDO:/...) for the target RP on a device within BLE range of the victim’s device.

  2. The attacker lures the victim into opening a link using the previously described shortcut:// scheme mechanism where the generated FIDO intent is set as the x-cancel and x-error query parameters. There are various ways to lure a user into opening a phishing link.

  3. The victim clicks the link, and the FIDO dialog starts.

  4. The victim authenticates with FIDO.

  5. The attackers hybrid (caBLE) FIDO authentication completes successfully.

The point is that Safari blocks opening fido:/ urls but with shortcut://.....?x-cancel=fido:/ it was still possible to open FIDO intents from webpages rendered in Safari.

Timeline

  1. 25.03.2025 - Reported to Apple
  2. 26.03.2025 - First response from Apple
  3. 29.07.2025 - Fixed in iOS 18.6, iPadOS 18.6, macOS Sequoia 15.6, watchOS 11.6
  4. 29.07.2025 - Published Advisory with the comment: “We would like to acknowledge Dennis Kniep for their assistance.”