[dmitriid]

https://www.wired.com/story/chrome-yubikey-phishing-webusb/

Immediately after WebUSB shipped in Chrome: "security researchers Markus Vervier and Michele Orrù detailed a method that exploits a new and obscure feature of Google's Chrome browser to potentially bypass the account protections of any victim using the Yubikey Neo".

The fact that fishing (and fingerprinting etc.) isn't reported widely doesn't mean it doesn't happen. After all you trust Chrome to properly implement everything and take care of things. And yet here's an example of a different hardware standard, WebMIDI: https://twitter.com/denschub/status/1582730985778556931 (note the comment: "Chrome still allows web developers to enumerate attached MIDI devices without user consent or even a notification")

[taviso]

The attack here was that if you get tricked into giving a phishing site your password and Web USB access to your U2F key and then you press your U2F key, then the attacker can bypass the 2FA. I highly doubt this ever happened in real life, it was just a proof of concept.

In my opinion, the Chrome team overreacted and blocked all WebUSB access to any U2F/HID device.

Now if you want to update the firmware or configure your key you need to download an .exe and run it instead, which seems unfortunate to me.

If the phisher had said "Your U2F firmware is out of date, please download and run this update to continue", would that have been a vulnerability? That could also bypass 2FA (or anything else, for that matter).

[ocdtrekkie]

That is a trivial phishing path. In fact, the phishing site could easily justify that process as being required for security! "We need access to your YubiKey to use it to sign you in" seems extremely plausible.