![]() ![]() "U2F is technically not broken, but it’s still phishable, which many people thought was impossible," says Vervier. Vervier and Orrù, who work for the security consultancy X41, are careful to note that their technique doesn't demonstrate a flaw in Yubico's products so much as a very unintended byproduct of Chrome's WebUSB feature, which the browser added just last year. According to Vervier and Orrù, the model WIRED offers is not susceptible to their attack.) (A disclaimer: WIRED partners with Yubico to give free Yubikeys to subscribers. With a sufficiently convincing phishing site and a feature in Chrome known as WebUSB, a hacker could both trick a victim into typing in their username and password-as with all phishing schemes-and then also send a query directly from their malicious website to the victim's Yubikey, using the response it provides to unlock that person's account. Two weeks ago, in a little-noticed presentation at the Offensive Con security conference in Berlin, security researchers Markus Vervier and Michele Orrù detailed a method that exploits a new and obscure feature of Google's Chrome browser to potentially bypass the account protections of any victim using the Yubikey Neo, one of the most popular of the so-called Universal Two-Factor, or U2F, tokens that security experts recommend as the strongest form of protection against phishing attacks. But while Yubikey manufacturer Yubico describes its product as " unphishable," a pair of researchers has proven the company wrong, with a technique that allows clever phishers to sidestep even Yubico's last bastion of login protection. There's no better way to protect yourself from the universal scourge of phishing attacks than with a hardware token like a Yubikey, which stymies attackers even if you accidentally hand them your username and password. ![]()
0 Comments
Leave a Reply. |