WebAuthn fullscreen security UI spoof PoC

This PoC demonstrates a fullscreen payment-confirmation page that immediately triggers browser-owned WebAuthn UI. The security issue exists only if browser-owned WebAuthn approval remains visually coupled with attacker-controlled fullscreen content.

Serve this page from https://... or http://localhost. If the origin relies on automatic fullscreen, grant that capability before using the automatic mode.

Actions

Current result

Event log

Payment confirmation

example.com/login

Confirm payment

Use your passkey to approve this banking transaction.

Checking account ending in 2048

Payment recipient

Example Merchant Services

Approve with passkey Verify this transfer with a device passkey, security key, or nearby phone.

Amount

$1,284.00 USD

This page is a generic mock used to demonstrate whether browser-owned WebAuthn approval can appear while attacker-controlled fullscreen context remains visible.