Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

PoisonSeed: How Phishing Attacks Bypass FIDO with WebAuthn

Redazione RHC : 5 August 2025 07:43

The authors of the PoisonSeedphishing campaign have found a way to bypass FIDO (in this case, FIDO2 with WebAuthn) using the cross-device authentication mechanism implemented in WebAuthn. The attackers convince victims to approve login requests from fake corporate portals. Please note that the PoisonSeed campaign is based on phishing, the ultimate goal of which is financial fraud. In the past, attackers have hacked corporate accounts for email marketing purposes and sent users letters containing pre-set seed phrases for cryptocurrency wallets.

In the new attacks identified by Expel experts, attackers are not exploiting a vulnerability in FIDO mechanisms, but are abusing a legitimate cross-device authentication feature. This WebAuthn feature allows a user to authenticate on one device using a security key or authentication app on another. Instead of physically connecting the key (for example, via USB), the authentication request is transmitted via Bluetooth or a QR code.

The new PoisonSeed attacks begin by redirecting the victim to a phishing site that imitates an Okta or Microsoft 365 corporate login portal. Once the victim enters their credentials, the phishing infrastructure uses them in real time to access the real portal. Typically, the victim would confirm access using their FIDO key. However, in this scheme, the phishing server initiates the login via another device’s login mechanism. As a result, the real portal generates a QR code, which is transmitted to the phishing page and displayed to the victim.

When a user scans this QR code with their smartphone or an authenticator app, they are essentially approving the attacker’s login. This allows them to bypass FIDO security by switching to device-to-device authentication, which does not require a physical key connection and can be approved remotely.

The researchers emphasize that the attack does not exploit any vulnerability in FIDO. Rather, the attackers exploit a standard function that allows them to lower the level of protection. To protect against such attacks, experts recommend:

  • Limit the geographic areas from which access is permitted and implement a registration process for employees traveling for business;
  • Regularly check for new FIDO key registrations from unusual geographic locations or from little-known manufacturers;
  • If possible, ask employees to use Bluetooth for authentication between devices, which reduces the risk of remote attacks.

Also in their report, Expel analysts describe another incident in which the attacker registered their FIDO key after compromising the victim’s account (presumably via phishing). In this case, there was no need to even forge a QR code or interact with the victim: the attacker completed the entire login process.

This case highlights that even phishing-resistant authentication methods can be bypassed if the user is persuaded to complete the login process without physically interacting with the key.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli
Banner
Redhotcyber is an open-news project that was launched in 2019 and subsequently expanded into a network of individuals collaborating to disseminate information and topics focused on technology, Information Technology, and cybersecurity. Its goal is to increase risk awareness among an ever-growing number of people.

Editorial board : [email protected]

Facebook Linkedin Youtube Telegram Twitter Pinterest Tumblr