[michaelt]

  did they literally go "yeah this website can send
  anything to the YK device directly, waht could go wrong?".

WebUSB displays a prompt, albeit an uninformative one [1]. The idea is to trick the user into enabling WebUSB when they think they're enabling U2F.

[1] https://developers.google.com/web/updates/images/2016-03-02-...

[floatboth]

Well that clearly doesn't look like a U2F prompt.

Of course U2F devices should be excluded from the list, and there should be some warning text about "do not allow important devices on random websites", but that doesn't seem like a huge deal.

[michaelt]

  Well that clearly doesn't look like a U2F prompt.

Thus downgrading U2F from "makes phishing impossible" to "relies on the user taking care to spot phishing attempts"

[josteink]

So just like any other phishing attempt then. What did we gain again?

[mehrdadn]

Playing devil's advocate here (because I do agree this would be ridiculous but I think this is worth pointing out), but you can never completely rule out tricking the user. They could always download a file and run it to bypass the browser or something. So the question really is how easy it is to trick the user here.