Chrome Lets Hackers Phish Even 'Unphishable' Yubikey Users

There's no better way to protect yourself from the universal scourge of phishing attacks than with a hardware token like a Yubikey, which stymies attackers even if you accidentally hand them your username and password. Two weeks ago, in a little-noticed presentation at the Offensive Con security conference in Berlin, security researchers Markus Vervier and Michele Orrù detailed a method that exploits a new and obscure feature of Google's Chrome browser to potentially bypass the account protections of any victim using the Yubikey Neo, one of the most popular of the so-called Universal Two-Factor, or U2F, tokens that security experts recommend as the strongest form of protection against phishing attacks. Beware WebUSB Let's be clear: Vervier and Orrù's findings don't change the fact that adding two-factor authentication remains one of the most basic and crucial steps to protecting your sensitive accounts, and a U2F token like a Yubikey is the most secure form of that protection you can use. Vervier and Orrù found that they could code a website to connect to the Yubikey Neo with that WebUSB feature, instead of with the usual Chrome API for U2F that it's designed to use. "The browser developers put a proper API in place that makes careful use of whatever U2F token is in the computer," says Joern Schneeweisz, a security researcher for Recurity Labs who reviewed Vervier and Orrù's findings.