PoisonSeed phishing campaign is bypassing FIDO2 protections by exploiting the cross-device sign-in feature in WebAuthn to trick users into approving login requests from fake portals. The attack uses legitimate features to facilitate large-scale phishing and financial fraud, emphasizing the need for enhanced security measures. #PoisonSeed #WebAuthn #FIDO2 #AiTM #CrossDeviceAuthentication
Keypoints
- The PoisonSeed campaign targets users through impersonated corporate login portals like Okta or Microsoft 365.
- The attack relies on abusing the cross-device authentication feature in WebAuthn, not exploiting a flaw in FIDO2 itself.
- Attackers instruct the legitimate portal to generate a QR code, which users scan to approve unauthorized logins.
- The campaign can bypass FIDO2 security keys by tricking users into authenticating via cross-device methods.
- Expel recommends limiting login locations, monitoring unknown FIDO keys, and enforcing Bluetooth security to mitigate risks.