Hacker News new | ask | show | jobs
by SahAssar 3033 days ago
Or disable webusb
1 comments
Ajedi32 3033 days ago
Or just don't click "Connect" on the USB access permissions prompt when it pops up.

Unfortunately though, as with any phishing attack, this flaw is most likely to be effective against uninformed users, and those users are the least likely to take proactive measures to protect themselves beforehand.

Fortunately:

> "We will have a short term mitigation in place in the upcoming version of Chrome, and we're working closely with the FIDO Alliance to develop a longer-term solution as well."

link
crispyporkbites 3033 days ago
What kind of uniformed user uses a YubiKey?

I supposed you could trick them by saying that the login process has changed and they need to enable WebUSB to let their YubiKey work

link
tedunangst 3033 days ago
Uninformed users who have an informed friend looking out for them but not looking over their shoulder every single minute.
link
cjcfjrf 3032 days ago
Not parent but great point, thank you.
link
jessaustin 3033 days ago
This seems to indicate that DoD uses them. Perhaps it's mostly contractors, but there are probably some liaison-type uniformed people too:

https://www.yubico.com/about/reference-customers/department-...

link
Buge 3032 days ago
The purpose of a Yubikey is to prevent users from making mistakes.

This phishing attack removes the benefit that Yubikeys provided.

Sure a smart users can decline the permission prompt. But a smart user can also simply not enter their password into phishing pages.

link
x0x0 3033 days ago
tqbf, pinboard, and zeynep are handing them out to journalists.

There is an enormous need for some solution resistant to users who aren't good at identifying legitimate vs phishing sites. U2F as it stands is the only practical and deployed solution to that problem. It's infuriating that chrome broke this security promise to compete with microsoft.

link