Security Advisory 2018-03-02 – WebUSB Bypass of U2F Phishing Protection

Tracking IDs: YSA-2018-02

Update March 7, 2018

Today, Google released Chrome 65. Chrome 65 blocks access to all impacted Yubico products over WebUSB, which protects against WebUSB Bypass of the U2F Phishing Protection against YubiKeys. This updated browser version also re-enables WebUSB. All YubiKey users are now protected from this unintended issue and we will continue to work with Google to ensure that Yubico customers remain protected.

To check whether you are using the latest version of Chrome, please navigate to chrome://help in your browser address bar. You must restart Chrome to complete the installation.

Update March 6, 2018

Today, Google published an automatic fix to existing Google Chrome users that disables WebUSB to address this issue in the interim. YubiKey NEO users are now safe from this unintended issue. WebUSB being disabled blocks attempted attacks until a permanent fix is available. The automatic fix is being made available without a separate Chrome update as long as you are using the latest version of Chrome. To make sure you are using the latest version of Chrome, go to chrome://help in your browser address bar to automatically check. We continue to work with Google on addressing these issues permanently.

Background

On February 27, 2018, Yubico was informed of a conference presentation on February 16, 2018 that demonstrated a potential security issue with the new WebUSB feature in Google Chrome. WebUSB allows websites to directly access USB devices. The presentation used a YubiKey NEO to demonstrate how an attacker could use WebUSB to bypass the origin checking built into Chrome that provides phishing protection for the U2F protocol.

In the demonstration it was shown that if a victim agreed to give a phishing site access via WebUSB to the YubiKey NEO in the USB port, and the victim also was successfully tricked into touching the YubiKey NEO, the U2F phishing protection could be bypassed. The researchers argued that this could be achieved with social engineering.

Summary Of The Issue

The U2F protocol was designed to protect against phishing by requiring that the origin of authentication requests for the intended website be automatically and transparently validated by the U2F client (the browser) and sent to the authenticator (the authentication token) without the need for user involvement. In certain circumstances, WebUSB allows an attacker to bypass the browser U2F origin verification and pass information directly to the authenticator. This means the information may not be trustworthy and as a result may cause the authenticator to process authentication requests originating from a phishing site.

Mitigating Factors

We recommend that users click “Cancel” in response to any dialog boxes appearing in Chrome requesting WebUSB access to YubiKeys. The attack cannot proceed unless the user explicitly grants access to the U2F device by clicking “Connect” in response to the WebUSB request. The user must approve WebUSB access on a per-site and per-device basis so it is important for users to not click “Connect” for any website.

Figure 1 shows the approval dialog:

WebUSB Example
Figure 1: The WebUSB Access Approval Dialog for the Chrome Browser

 

In addition, because WebUSB does not provide a way to bypass the test-of-user-presence in the YubiKey NEO, for the phishing attack to succeed, the user would also have to touch the key to approve the authentication request.

The researchers were careful to note that their “technique doesn’t demonstrate a flaw in Yubico’s products so much as a very unintended byproduct of Chrome’s WebUSB feature”.

Solution

In Chrome 65, which is currently in beta, Google plans to implement a block list for WebUSB that is expected to mitigate this issue.

It is always important to keep browsers up to date with the latest patches. To make sure you are using the latest version of Chrome, go to chrome://help in your browser address bar to automatically check.

FAQ

  • Is the FIDO U2F Security Key affected by this issue?
    • Not that we are aware of at this time.
  • Is the YubiKey 4 affected by this issue?
    • Not that we are aware of at this time.
  • Why can the U2F Authenticator not validate the origin?
    • Under the U2F protocol, the browser is responsible for validating the origin of the authentication request and sending it to the authenticator because the browser is the only component that has the information to do so. The authenticator relies on the site information provided by the browser being trustworthy. The researchers demonstrated how WebUSB can send arbitrary site information directly to the authenticator, bypassing the trusted path between the browser and the authenticator.
  • Is there a way to disable WebUSB entirely?
    • On March 6, 2018, Google published an automatic fix to existing Google Chrome users that disables WebUSB to address this issue in the interim.
  • I approved WebUSB access for a site/device. How do I revoke it?
    • Open Chrome Settings
    • Scroll to the bottom and click Advanced
    • Click on Content settings
    • Click on USB devices
    • Locate the device you wish to remove, and the website you want to revoke access from, then click the three dots and select “Remove”

Timeline

 

2018-02-27 Yubico informed of WebUSB issue.
2018-03-02 Yubico publishes Security Advisory.
2018-03-06 Google blocks WebUSB as an interim step.
2018-03-07 Google releases Chrome 65, which blocks WebUSB access to all Yubico products and re-enables WebUSB