<Prev | [Index] | Next>

Date: Thu, 1 Mar 2018 09:17:26 -0800

WiReD via NNSquad http://www.wired.com/story/chrome-yubikey-phishing-webusb/

There's no better way to protect yourself from the universal scourge of
phishing attacks than with a hardware token like a Yubikey, which stymies
attackers even if you accidentally hand them your username and
password. But while Yubikey manufacturer Yubico describes its product as
"unphishable," a pair of researchers has proven the company wrong, with a
technique that allows clever phishers to sidestep even Yubico's last
bastion of login protection.

It's important to note that this exploit category does NOT represent a flaw in U2F itself, but essentially a side-channel vulnerability created by an unrelated subsystem. This specific problem in Chrome will be straightforward to fix, but does highlight the complexity of these security environments. As the saying goes: Security is hard!

[Caveat from Drew Dean channeling Kenn White on Twitter: This is
apparently true only for the YubiKey Neo, which uses the CCID protocol
over USB, not for the classic Blue, Nano, or 4 series. PGN]

<Prev | [Index] | Next>