Owners of the YubiKey Neo beware. A Chrome feature Google introduced last year has the unintended consequence of being able to bypass one of the security key’s protections.
Normally, the security key works like this: When logging into a website, you connect the device to your PC. It then transmits a special code, unlocking access to your account. But before the key does any of this, it’ll first authenticate that the website you’re accessing is legit and not a fake page. This step is an important reason why YubiKey Neo maker Yubico calls the devices “unphishable.”
Unfortunately, Google inadvertently introduced a workaround; WebUSB can trick the security key into skipping this process. The researchers, Markus Vervier and Michele Orru, created a fake website with WebUSB that’ll directly access a YubiKey Neo, without initiating the website check.
Clever hackers could exploit WebUSB to craft phishing-style attacks, the duo warns. Imagine getting sent a fake Google login page and falling for the trap. You’ll not only end up handing over your password. The fake login page can also steal your YubiKey’s special code. The only thing preventing the access is Chrome will ask for permission to enable WebUSB to connect to the YubiKey.
On Friday, Yubico confirmed the problem, but said it only appears to affect the company’s YubiKey Neo product. The vendor published a security advisory with more details. It’s advising that customers click “Cancel” whenever the Chrome browser requests WebUSB access to a YubiKey device. “For the phishing attack to succeed, the user would also have to touch the key [the flashing green button] to approve the authentication request,” the company said.
In a bit of irony, Google has been promoting the YubiKey Neo as a product that works with its Advanced Protection Program, which is designed to protect your Google account from the sneakiest phishing attacks.
Fortunately, the company is developing a short-term fix that’ll roll out in an upcoming Chrome release, Google product manager Christiaan Brand said in a statement.
“We are always appreciative of researchers’ work to help protect our users,” he said, adding “We aren’t aware of any evidence that the vulnerability has been exploited.”
Google is also working with the FIDO Alliance, a standards body involved in the security key technology, to address the problem with a longer-term solution.
In the meantime, an independent security researcher has come up with a Chrome browser extension that can disable Chrome’s WebUSB function. You can find it here.