The authors of the PoisonSeedphishing campaign have found a way to bypass FIDO (in this case, FIDO2 with WebAuthn) using the cross-device authentication mechanism implemented in WebAuthn. The attackers convince victims to approve login requests from fake corporate portals. Please note that the PoisonSeed campaign is based on phishing, the ultimate goal of which is financial fraud. In the past, attackers have hacked corporate accounts for email marketing purposes and sent users letters containing pre-set seed phrases for cryptocurrency wallets.
In the new attacks identified by Expel experts, attackers are not exploiting a vulnerability in FIDO mechanisms, but are abusing a legitimate cross-device authentication feature. This WebAuthn feature allows a user to authenticate on one device using a security key or authentication app on another. Instead of physically connecting the key (for example, via USB), the authentication request is transmitted via Bluetooth or a QR code.
The new PoisonSeed attacks begin by redirecting the victim to a phishing site that imitates an Okta or Microsoft 365 corporate login portal. Once the victim enters their credentials, the phishing infrastructure uses them in real time to access the real portal. Typically, the victim would confirm access using their FIDO key. However, in this scheme, the phishing server initiates the login via another device’s login mechanism. As a result, the real portal generates a QR code, which is transmitted to the phishing page and displayed to the victim.
When a user scans this QR code with their smartphone or an authenticator app, they are essentially approving the attacker’s login. This allows them to bypass FIDO security by switching to device-to-device authentication, which does not require a physical key connection and can be approved remotely.
The researchers emphasize that the attack does not exploit any vulnerability in FIDO. Rather, the attackers exploit a standard function that allows them to lower the level of protection. To protect against such attacks, experts recommend:
Also in their report, Expel analysts describe another incident in which the attacker registered their FIDO key after compromising the victim’s account (presumably via phishing). In this case, there was no need to even forge a QR code or interact with the victim: the attacker completed the entire login process.
This case highlights that even phishing-resistant authentication methods can be bypassed if the user is persuaded to complete the login process without physically interacting with the key.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
