Cybersecurity researchers have disclosed a novel assault method that permits menace actors to bypass Quick IDentity On-line (FIDO) key protections by deceiving customers into approving authentication requests from spoofed firm login portals.
FIDO keys are hardware- or software-based authenticators designed to get rid of phishing by binding logins to particular domains utilizing public-private key cryptography. On this case, attackers exploit a legit characteristic—cross-device sign-in—to trick victims into unknowingly authenticating malicious periods.
The exercise, noticed by Expel as a part of a phishing marketing campaign within the wild, has been attributed to a menace actor named PoisonSeed, which was lately flagged as leveraging compromised credentials related to buyer relationship administration (CRM) instruments and bulk electronic mail suppliers to ship spam messages containing cryptocurrency seed phrases and drain victims’ digital wallets.
“The attacker does this by profiting from cross-device sign-in options accessible with FIDO keys,” researchers Ben Nahorney and Brandon Overstreet stated. “Nonetheless, the dangerous actors on this case are utilizing this characteristic in adversary-in-the-middle (AitM) assaults.”
This system does not work in all eventualities. It particularly targets customers authenticating through cross-device flows that do not implement strict proximity checks—resembling Bluetooth or native system attestation. If a consumer’s atmosphere mandates {hardware} safety keys plugged straight into the login system, or makes use of platform-bound authenticators (like Face ID tied to the browser context), the assault chain breaks.
Cross-device sign-in permits customers to sign-in on a tool that doesn’t have a passkey utilizing a second system that does maintain the cryptographic key, resembling a cell phone.
The assault chain documented by Expel commences with a phishing electronic mail that lures recipients to log right into a faux sign-in web page mimicking the enterprise’s Okta portal. As soon as the victims enter their credentials, the sign-in data is stealthily relayed by the bogus website to the true login web page.
The phishing website then instructs the legit login web page to make use of the hybrid transport technique for authentication, which causes the web page to serve a QR code that is subsequently despatched again to the phishing website and offered to the sufferer.
Ought to the consumer scan the QR code with the authenticator app on their cell system, it permits the attackers to achieve unauthorized entry to the sufferer’s account.
“Within the case of this assault, the dangerous actors have entered the proper username and password and requested cross-device sign-in,” Expel stated.
“The login portal shows a QR code, which the phishing website instantly captures and relays again to the consumer on the faux website. The consumer scans it with their MFA authenticator, the login portal and the MFA authenticator talk, and the attackers are in.”
What makes the assault noteworthy is that it bypasses protections provided by FIDO keys and permits menace actors to acquire entry to customers’ accounts. The compromise technique doesn’t exploit any flaw within the FIDO implementation. Moderately, it abuses a legit characteristic to downgrade the authentication course of.
Whereas FIDO2 is designed to withstand phishing, its cross-device login move—referred to as hybrid transport—may be misused if proximity verification like Bluetooth will not be enforced. On this move, customers can log in on a desktop by scanning a QR code with a cell system that holds their passkey.
Nonetheless, attackers can intercept and relay that QR code in actual time through a phishing website, tricking customers into approving the authentication on a spoofed area. This turns a safe characteristic right into a phishing loophole—not as a consequence of a protocol flaw, however as a consequence of its versatile implementation.
Expel additionally stated it noticed a separate incident the place a menace actor enrolled their very own FIDO key after compromising an account via a phishing electronic mail and resetting the consumer’s password.
To raised shield consumer accounts, organizations ought to pair FIDO2 authentication with checks that confirm the system getting used. When doable, logins ought to occur on the identical system holding the passkey, which limits phishing danger. Safety groups ought to look ahead to uncommon QR code logins or new passkey enrollments. Account restoration choices ought to use phishing-resistant strategies, and login screens—particularly for cross-device sign-ins—ought to present useful particulars like location, system kind, or clear warnings to assist customers spot suspicious exercise.
If something, the findings underscore the necessity for adopting phishing-resistant authentication in any respect steps in an account lifecycle, together with throughout restoration phases, as utilizing an authentication technique that is inclined to phishing can undermine the complete id infrastructure.
“AitM assaults towards FIDO keys and attacker-controlled FIDO keys are simply the newest in an extended line of examples the place dangerous actors and defenders up the ante within the combat to compromise/shield consumer accounts,” the researchers added.
