Authored by Venkat Venkataraju & Jesper Johansson
Yubico Blog Update and Statement – 6/18/18
On June 13, 2018 we published this blog post and security advisory regarding WebUSB issues in Chrome. In hindsight we realize that we did not give enough credit in our blog post and security advisory to the foundational work done by Markus Vervier and Michele Orrù, who highlighted and demonstrated the first security vulnerability in WebUSB at OffensiveCon, and which was subsequently written up in a WIRED article. After posting, we communicated with them, apologized for this, and made updates to the blog post and security advisory to make sure proper credit was given.
Building on the publicly available information about work by Markus and Michele described in the article, Yubico investigated the issue and developed our own proof of concept (PoC) test tools. In the process we discovered additional issues with WebUSB and began outreach with Google on March 1st. Yubico first spoke with the researchers on March 2nd. The formal bug report which Yubico submitted to Google on March 5th, referenced the OffensiveCon talk by Markus and Michele and their original public announcement of the CCID issue in the first sentence. We submitted this privately to protect our customers and the broader U2F ecosystem.
Markus and Michele’s research provided a critical foundation, and we made a mistake by not clearly acknowledging them for their original research in our security advisory. We learned only on June 13, after we published our advisory, that Markus and Michele also discovered and reported HID issues to Google. We understand that better communication after the issue was fixed would have ensured that all parties were in sync, and will use this as an opportunity for improvement.
Yubico has always strived to be transparent and we regret the missed opportunity to work more collaboratively with Markus and Michele. Historically, Yubico has worked closely with security researchers across the globe and we are committed to continue to do so.
To improve the entire security ecosystem, Yubico is a strong believer in responsible disclosure practices. We believe that the best outcome happens when security researchers confidentially provide research and reporting to an impacted company, so a fix can be in place before any public disclosure to help protect users from the exploitation of the vulnerability.
This year, Yubico worked with Google under responsible disclosure to address WebUSB vulnerabilies in Google Chrome that affected the entire ecosystem of FIDO U2F authenticators, manufactured by Yubico and well as other vendors.
The original issue first surfaced in a news article in March 2018 describing how security researchers Markus Vervier and Michele Orrù had demonstrated how to circumvent the FIDO U2F origin check using WebUSB functionality in Google Chrome and the YubiKey NEO’s USB CCID U2F interface.
Once Yubico was informed of the CCID issue, our own researchers quickly discovered there was a broader set of security concerns within WebUSB that affected the entire ecosystem of FIDO U2F authenticators. To help protect the U2F ecosystem, we disclosed these issues to Google in early March and worked closely with their engineering teams on a mitigation plan to address this issue and secure all U2F customers.
With the May 29, 2018 release of Chrome 67, Google fixed the WebUSB vulnerability and the issue could no longer affect any (Yubico or other) U2F authenticators. To read the detailed report of the WebUSB issue in Chrome, please visit our Security Advisories page for full analysis.
For this research and disclosure, Google awarded Yubico a bug bounty in the amount of $5,000, which Yubico has opted to donate to charity. Yubico chose Girls Who Code, a non-profit that aims to support and increase the number of women in computer science. Additionally, Google has matched the donation with another $5,000, resulting in a $10,000 donation to Girls Who Code, to further support efforts at increasing diversity in our field.
The security ecosystem is only as strong as the weakest link and if we, as a community of vendors and security researchers effectively and respectfully work together, we can secure not only end users, but the entire ecosystem from continually evolving threats.
For the protection of everyone, we encourage all researchers to responsibly disclose any discovered security concerns to the affected company so they may implement a fix before any public disclosure. To contact the security team at Yubico please email firstname.lastname@example.org.
June 13th Update: We were just made aware that the original researchers reported the Windows HID issue to Google around the same time we submitted it to Google. We were not aware of this at the time, we independently discovered it while investigating the public CCID issue, and followed standard responsible disclosure practices by sending all our findings, including the Windows HID issue, only to the affected vendor in order to afford maximum protection for the ecosystem.