|
|
|
|
|
|
by taviso
1239 days ago
|
|
|
The attack here was that if you get tricked into giving a phishing site your password and Web USB access to your U2F key and then you press your U2F key, then the attacker can bypass the 2FA. I highly doubt this ever happened in real life, it was just a proof of concept. In my opinion, the Chrome team overreacted and blocked all WebUSB access to any U2F/HID device. Now if you want to update the firmware or configure your key you need to download an .exe and run it instead, which seems unfortunate to me. If the phisher had said "Your U2F firmware is out of date, please download and run this update to continue", would that have been a vulnerability? That could also bypass 2FA (or anything else, for that matter). |
|
|