To address a low severity privacy issue, Yubico has released updated firmware for YubiKey 5 Series, Security Key Series, and YubiKey Bio Series. The YubiKey CSPN Series and YubiKey 5 FIPS series are also affected. The YubiKey 5 FIPS series will receive this privacy update in the next release of that series of keys.
In order to exploit this low rated privacy issue, an attacker would need physical access to the YubiKey/Security Key or local access to the userβs computer or phone where the YubiKey is used. This issue does not expose the credential or any other associated data on the secure element. Impact is also limited to applications and services with FIDO2 discoverable credentials*, often used in passwordless login without a username prompt. Non-discoverable FIDO2 credentials, often used in combination with a password, are not affected.
If an attacker had possession of the key or local access, they could potentially exploit this issue to discover a subset of the applications and services (not the userβs credentials) that have been paired with the YubiKey. They could then bypass an expected user verification prompt and see applications and services for which a user has registered FIDO2 discoverable credentials on the YubiKey. All other YubiKey protocols (FIDO U2F, OATH, OpenPGP, OTP, Smart Card, YubiHSM Auth) are not affected. For technical details of this issue, see Issue Details below.
*For more details about identifying discoverable credentials, see How to Tell if You Are Affected below.