Security advisory YSA-2018-01 - Yubico

Oscar Mira and Roi Martin from the Schibsted security team informed us of a security issue in the OATH (Initiative for Open Authentication) applet on the YubiKey NEO. The YubiKey OATH applet is used to generate time-based one-time password (TOTP) and HMAC-based one-time password (HOTP) codes that are then displayed in the companion Yubico Authenticator app. To provide an extra layer of protection against unauthorized viewing of these codes, the OATH applet can be protected with an optional password; a feature unique to the YubiKey OATH Applet among one-time password (OTP) code generators. The issue may allow an individual in physical possession of the YubiKey NEO to remove the password protection of the OATH applet and view the TOTP/HOTP codes generated by the applet in the companion Yubico Authenticator app, without knowing the password.
TOTP/HOTP codes generated by that applet are typically used as a second authentication factor, in conjunction with a password or PIN code, to log into a service or website. This issue does not affect those passwords or PIN codes; it only affects the password protecting the OATH applet on the YubiKey NEO.
Other functions of the YubiKey NEO, including PIV, FIDO Universal 2nd Factor (U2F) and Yubico OTP are not affected. No other YubiKeys, including the YubiKey 4 and the FIDO U2F Security Key are impacted by this issue. The YubiKey 4 platform uses a different applet for OATH and the FIDO U2F Security Key does not include OATH.