Security advisory YSA-2018-02 - Yubico

In Chrome 61, released in September, 2017, Google included a feature called WebUSB. WebUSB allows websites to request direct access to USB devices through JavaScript. A web page could potentially access and interact with a USB device interface unless the operating system reserved exclusive access to that interface
On February 16, 2018, researchers Markus Vervier and Michele Orrù demonstrated how to circumvent the FIDO U2F origin check using WebUSB at OffensiveCon. Yubico learned about this when we were contacted by a journalist at Wired Magazine on February 27, 2018. We reached out to Markus and Michele and they demonstrated the issue and showed us slides from their presentation on March 2, 2018. The research results we present below builds on Markus’s and Michele’s original work.
The origin check is performed by the FIDO Client (the web browser) and is a critical part of the U2F protocol that is used in preventing man-in-the-middle and phishing attacks. Markus and Michele showed how to use WebUSB to pass U2F requests to the USB CCID interface on the YubiKey NEO, thereby bypassing the origin check and creating a potential security issue. Yubico immediately began working with Google to remedy this issue and published a security advisory on March 2, 2018.
The researchers said at the time that this exploit only worked on U2F devices that “…offer protocols for connecting to a browser other than the usual way FIDO U2F tokens communicate with a computer, known as the Human Interface Device or HID, which isn’t vulnerable to the attack.” (Wired Magazine, March 1, 2018).
The WebUSB security model was based on the theory that operating systems reserve exclusive access to certain sensitive USB device types, but it turns out that operating systems do not uniformly do so. Most U2F authenticators support U2F access only over the USB Human Interface Device (HID) interface. Linux does lock exclusive access to the USB HID interface. However, while investigating the claims in the article, we discovered that USB HID devices were accessible over WebUSB on other operating systems.
Using tools we developed for testing this, we were able to directly access all U2F devices we tested via HID, including those from other vendors than Yubico, bypass the origin check, and sign a fake U2F request. We are providing further details on our research and findings below. We first reported this issue to Google on March 1, 2018 and filed a formal bug report with Google on March 5, 2018. It was addressed in Chrome 67 and given CVE number CVE-2018-6125.
June 13th Update: We were just made aware that the original researchers reported the Windows HID issue to Google around the same time we submitted it to Google. We were not aware of this at the time, we independently discovered it while investigating the public CCID issue, and followed standard responsible disclosure practices by sending all our findings, including the Windows HID issue, only to the affected vendor in order to afford maximum protection for the ecosystem.