This reports a vulnerability that allows a malicious entity to takeover accounts secured with FIDO2/ Passkeys

This was discussed with W3C WebAuthn contributors: w3c/webauthn#1965

When a legitimate user goes to authenticate to a Relying Party, the RP generates a publicKey object containing a random challenge and rpId and sends it to the browser of the user.
The browser calls the navigator.credentials.get() function which passes the publicKey object to a Security Key or Trusted platform module over CTAP.
The browser (in case of Linux systems browser-based implementation of WebAuthn) or the system (in case of Windows using webauthn.dll) generates a prompt for the user to take action on the authenticator. This action may include giving fingerprint, entering a pin or just touching the authenticator.
The authenticator signs the challenge with the private key of keypair previously stored in it generates an `AuthenticatorAssertion