Cybersecurity researchers have disclosed a novel assault method that permits menace actors to downgrade Quick IDentity On-line (FIDO) key protections by deceiving customers into approving authentication requests from spoofed firm login portals.
FIDO keys are hardware- or software-based authenticators designed to eradicate phishing by binding logins to particular domains utilizing public-private key cryptography. On this case, attackers exploit a authentic function—cross-device sign-in—to trick victims into unknowingly authenticating malicious periods.
The exercise, noticed by Expel as a part of a phishing marketing campaign within the wild, has been attributed to a menace actor named PoisonSeed, which was lately flagged as leveraging compromised credentials related to buyer relationship administration (CRM) instruments and bulk e mail suppliers to ship spam messages containing cryptocurrency seed phrases and drain victims’ digital wallets.
“The attacker does this by making the most of cross-device sign-in options obtainable with FIDO keys,” researchers Ben Nahorney and Brandon Overstreet mentioned. “Nevertheless, the dangerous actors on this case are utilizing this function in adversary-in-the-middle (AitM) assaults.”
This method would not work in all situations. It particularly targets customers authenticating through cross-device flows that do not implement strict proximity checks—akin to Bluetooth or native machine attestation. If a person’s surroundings mandates {hardware} safety keys plugged instantly into the login machine, or makes use of platform-bound authenticators (like Face ID tied to the browser context), the assault chain breaks.
Cross-device sign-in permits customers to sign-in on a tool that doesn’t have a passkey utilizing a second machine that does maintain the cryptographic key, akin to a cell phone.
The assault chain documented by Expel commences with a phishing e mail that lures recipients to log right into a pretend sign-in web page mimicking the enterprise’s Okta portal. As soon as the victims enter their credentials, the sign-in data is stealthily relayed by the bogus web site to the actual login web page.
The phishing web site then instructs the authentic login web page to make use of the hybrid transport methodology for authentication, which causes the web page to serve a QR code that is subsequently despatched again to the phishing web site and offered to the sufferer.
Ought to the person scan the QR code with the authenticator app on their cellular machine, it permits the attackers to realize unauthorized entry to the sufferer’s account.
“Within the case of this assault, the dangerous actors have entered the proper username and password and requested cross-device sign-in,” Expel mentioned.
“The login portal shows a QR code, which the phishing web site instantly captures and relays again to the person on the pretend web site. The person scans it with their MFA authenticator, the login portal and the MFA authenticator talk, and the attackers are in.”
What makes the assault noteworthy is that it will get round protections provided by FIDO keys and allows menace actors to acquire entry to customers’ accounts. The compromise methodology doesn’t exploit any flaw within the FIDO implementation. Slightly, it abuses a authentic function to downgrade the authentication course of.
Whereas FIDO2 is designed to withstand phishing, its cross-device login move—often called hybrid transport—may be misused if proximity verification like Bluetooth isn’t enforced. On this move, customers can log in on a desktop by scanning a QR code with a cellular machine that holds their passkey.
Nevertheless, attackers can intercept and relay that QR code in actual time through a phishing web site, tricking customers into approving the authentication on a spoofed area. This turns a safe function right into a phishing loophole—not attributable to a protocol flaw, however attributable to its versatile implementation.
Expel additionally mentioned it noticed a separate incident the place a menace actor enrolled their very own FIDO key after compromising an account by a phishing e mail and resetting the person’s password.
To higher defend person accounts, organizations ought to pair FIDO2 authentication with checks that confirm the machine getting used. When attainable, logins ought to occur on the identical machine holding the passkey, which limits phishing danger. Safety groups ought to look ahead to uncommon QR code logins or new passkey enrollments. Account restoration choices ought to use phishing-resistant strategies, and login screens—particularly for cross-device sign-ins—ought to present useful particulars like location, machine kind, or clear warnings to assist customers spot suspicious exercise.
If something, the findings underscore the necessity for adopting phishing-resistant authentication in any respect steps in an account lifecycle, together with throughout restoration phases, as utilizing an authentication methodology that is inclined to phishing can undermine the whole id infrastructure.
“AitM assaults in opposition to FIDO keys and attacker-controlled FIDO keys are simply the most recent in a protracted line of examples the place dangerous actors and defenders up the ante within the struggle to compromise/defend person accounts,” the researchers added.
(The story was up to date after publication to make it extra clear that the assault method doesn’t bypass FIDO protections and that it downgrades the authentication to a technique that is inclined to phishing.)
