VaultJacking: How a Single 6-Digit PIN Can Compromise an Entire Google Credential Ecosystem
A sophisticated new phishing methodology, identified by researchers as “VaultJacking,” is sending shockwaves through the cybersecurity community. The vulnerability demonstrates a critical architectural exploit: a single captured Google Password Manager (GPM) PIN can be leveraged to decrypt and exfiltrate a user’s entire synchronized credential vault.
This discovery is particularly alarming because it undermines the perceived “phishing-proof” nature of passkeys. While passkeys are designed to resist traditional credential harvesting via origin binding, VaultJacking bypasses the individual login flow entirely by targeting the underlying synchronization infrastructure.
The Mechanics of the Attack: AiTM Meets Sync Logic
VaultJacking utilizes a classic Adversary-in-the-Middle (AiTM) framework. During a highly convincing, fraudulent Google sign-in session, the attacker does not merely hunt for a password; they intercept the victim’s credentials, session cookies, and—crucially—the 6-digit GPM PIN used for identity verification during device enrollment.
While a 6-digit PIN may seem trivial, in the context of Google’s sync architecture, it acts as a master key. Once obtained, the attacker can programmatically join a rogue device to the victim’s “security domain”—a logical grouping of trusted devices authorized to access synchronized secrets.
By joining this domain, the attacker can trigger the release of the Security Domain Secret (SDS). This secret is the cryptographic linchpin that decrypts the entire local vault on the attacker’s controlled machine, granting them access to every stored password, account, and passkey metadata.

Bypassing Passkey Protections
The research confirms that this exploit remains effective even against accounts utilizing hardware-backed passkeys. The technical distinction is vital: while WebAuthn prevents an attacker from using a stolen credential on a fake website, VaultJacking doesn’t care about the website. It extracts the credentials directly from the sync layer beneath the browser’s security prompts.
The attack chain is highly streamlined. After harvesting the PIN, the attacker registers their own passkey on the victim’s account to ensure long-term persistence. They then trigger the security-domain join, which surfaces an SDS unlock dialog when the framework asserts a passkey against a controlled Relying Party (RP) endpoint.

The Stealth Factor and Architectural Weakness
One of the most dangerous aspects of VaultJacking is its low visibility. Unlike many account takeover (ATO) methods, this process generates minimal friction. While a user might receive a “new sign-in” email, the enrollment of a new device via a PIN often bypasses the more intrusive push notifications or biometric approvals required by other ecosystems.
If the attacker has also compromised the victim’s email via the same session, they can simply delete the alert, rendering the breach effectively invisible. This highlights a fundamental difference in design philosophy: while Apple’s iCloud Keychain requires explicit authorization from a pre-existing trusted device to add new ones, Google’s model prioritizes seamless user recovery and ease of use, inadvertently creating a path for rapid lateral movement.

Mitigation and Defensive Posture
Security experts emphasize that this is not a failure of cryptography, but a failure of authorization logic during device enrollment. To defend against VaultJacking, organizations and individuals should adopt the following strategies:
- Monitor Device Enrollment: Google Workspace administrators should treat any “new device added” event in audit logs as a high-priority security alert.
- Profile Isolation: Maintain strict separation between personal and professional Chrome profiles to prevent a single compromised PIN from exposing corporate credentials.
- Enhanced Authentication: Move toward hardware security keys (like YubiKeys) that require physical presence, which can mitigate some AiTM risks.
VaultJacking represents an evolution in threat modeling. It follows similar patterns seen in “Browser Syncjacking”—which relies on malicious extensions—but is significantly more potent because it requires zero malware; it only requires a successful social engineering session. As the world moves toward a passwordless future, this research serves as a sobering reminder: the attack surface isn’t disappearing; it is simply shifting to the infrastructure that manages our secrets.