Report URI

Report URI A market leader in browser security technologies, enabling you to detect and mitigate attacks, fast.

We’ve open-sourced passkeys-php, the WebAuthn library we use at Report URI, to help the community deploy passkeys more e...
20/05/2026

We’ve open-sourced passkeys-php, the WebAuthn library we use at Report URI, to help the community deploy passkeys more easily and safely.

Small. Auditable. MIT licensed. Built for real-world PHP apps.

Our founder, Scott Helme, shared the details today:

We've open-sourced passkeys-php, the WebAuthn server library we use at Report URI to protect logins with passkeys, security keys, and platform authenticators like Touch ID, Face ID, and Windows Hello. It started as a set of local security fixes for our own production passkeys implementation. Now, ra...

Great research from our founder, Scott Helme, on one of the hidden risks of passkeys.Passkeys reduce phishing risk, but ...
19/05/2026

Great research from our founder, Scott Helme, on one of the hidden risks of passkeys.

Passkeys reduce phishing risk, but malicious JavaScript in the browser can still abuse registration flows and create persistent account takeover risk.

Client-side visibility matters.

A single XSS vulnerability can turn passkeys from a phishing-resistant login mechanism into a persistent account takeover backdoor. If malicious JavaScript can run on your page, it may be able to register an attacker-controlled passkey against the victim’s account. The user sees nothing, the websi...

Passkeys are becoming a major part of how we secure accounts online, but there’s still a lot of confusion about what the...
18/05/2026

Passkeys are becoming a major part of how we secure accounts online, but there’s still a lot of confusion about what they are, how they work, and what risks remain.

Our founder, Scott Helme, has written a short introduction to Passkeys to set the scene before we publish some deeper technical posts this week.

A simple starting point before we get into the details.

Passwords have been the weak point in online authentication for decades. They can be reused, guessed, stolen, phished, leaked, sprayed, stuffed, and captured by malware. Passkeys are one of the first mainstream authentication technologies that remove many of those problems entirely, and any website....

A checkout page can look secure, work normally, and still be stealing customer payment data.In this post, Scott Helme br...
15/05/2026

A checkout page can look secure, work normally, and still be stealing customer payment data.

In this post, Scott Helme breaks down a real-world JavaScript compromise where attackers modified a trusted file to skim card data directly from the browser — and why organisations need visibility into the code running in the browser.

Read the post:

One malicious change to a trusted JavaScript file can turn your checkout page into a silent credit-card skimmer, siphoning customer data off to criminals while the website looks secure and continues to work as normal. That creates serious organisational risk: PCI exposure, regulatory consequences, r...

The NCSC is right to push passkeys.They’re a huge step forward for authentication: phishing-resistant, no shared secret ...
22/04/2026

The NCSC is right to push passkeys.

They’re a huge step forward for authentication: phishing-resistant, no shared secret on the server, far better than passwords in many ways.

But passkeys don’t make your application trustworthy after login. You still need to deal with session abuse, XSS, CSRF, malicious passkey registration, and transaction manipulation.

Our founder Scott Helme wrote about the security considerations teams need to think about when rolling out passkeys and published a white paper:

Passkeys are awesome and that's why we implemented them on Report URI! You can read about our implementation here and get the basics on how Passkeys work and why you want them. In this post, we're going to focus on what security considerations you should have once you start using

Good morning Glasgow! 🏴󠁧󠁢󠁳󠁣󠁴󠁿Come and find us at CyberUK booth G13 and see how we can show you exactly what code is runn...
22/04/2026

Good morning Glasgow! 🏴󠁧󠁢󠁳󠁣󠁴󠁿

Come and find us at CyberUK booth G13 and see how we can show you exactly what code is running on your website. 👨‍💻

The Report URI refresh is live! 💙🧡New homepage, refreshed product + case study pages, all-new social cards across the si...
20/04/2026

The Report URI refresh is live! 💙🧡

New homepage, refreshed product + case study pages, all-new social cards across the site, and more.

Same mission: catching the third-party code your website is running that you don't control.

➡️ https://report-uri.com

We're tracking an active Magecart campaign targeting ecommerce sites.The malware hides from admins, adapts to the platfo...
13/04/2026

We're tracking an active Magecart campaign targeting ecommerce sites.

The malware hides from admins, adapts to the platform, and changes how it steals payment data!

Write-up:

We’ve been tracking an active Magecart campaign targeting ecommerce sites, with payloads customised per victim and evasion logic designed to stay hidden from site owners. We spotted it because we monitor what code actually executes in the browser, not just what a site is supposed to load. What we

The results are in for our 2024 Pe*******on Test, and things are looking good! 😎
04/12/2024

The results are in for our 2024 Pe*******on Test, and things are looking good! 😎

It's that time of year again! At Report URI, we've just been through our 5th pe*******on test, and as usual, we're going to publish the results, take a look at what was found, and what we're going to do about it. Pe*******on Tests We're racking up quite the tally of

Address

35 - 47 Bethnal Green Road
London
E1 6LA

Website

Alerts

Be the first to know and let us send you an email when Report URI posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Contact The Business

Send a message to Report URI:

Shortcuts

Share

Category