A novel attack technique has emerged, enabling threat actors to bypass the robust protections offered by Fast IDentity Online (FIDO) keys. These keys are specifically designed to combat phishing by linking logins to particular domains through public-private key cryptography. However, attackers are now exploiting a legitimate feature called cross-device sign-in to deceive users into unknowingly approving malicious authentication requests. This sophisticated method, observed by Expel in an ongoing phishing campaign, is attributed to a group known as PoisonSeed, which has also been seen leveraging compromised CRM tools to send spam and drain digital wallets.
The core of this attack lies in its abuse of the cross-device sign-in functionality. While this feature is intended to allow users to authenticate on a device without a passkey by using a second device that does hold the key (like a mobile phone), PoisonSeed turns it into an adversary-in-the-middle (AitM) attack. The technique is not universally effective; it specifically targets scenarios where cross-device flows lack stringent proximity checks, such as Bluetooth or local device attestation. If a user’s environment mandates hardware security keys directly plugged into the login device or utilizes platform-bound authenticators like Face ID, the attack chain is broken.
The attack typically begins with a phishing email that lures victims to a fake sign-in page, often mimicking an enterprise’s legitimate Okta portal.
Once a victim enters their credentials on this spoofed site, the information is stealthily relayed to the actual login page. The phishing site then manipulates the legitimate login page to use the hybrid transport method for authentication, which prompts the real page to generate a QR code. This QR code is immediately captured by the phishing site and presented to the unsuspecting victim.
Should the user scan this relayed QR code with their mobile authenticator app, it inadvertently grants the attackers unauthorized access to their account. This bypass is noteworthy because it circumvents the inherent phishing resistance of FIDO keys without exploiting any flaw in the FIDO implementation itself. Instead, it ingeniously abuses a legitimate, flexible feature to downgrade the authentication process. The attack leverages the fact that FIDO2’s cross-device login flow, or hybrid transport, can be misused if robust proximity verification is not enforced, essentially turning a secure feature into a phishing loophole due to its flexible implementation.
To enhance user account protection against such attacks, organizations should implement stronger measures.
This includes pairing FIDO2 authentication with device verification checks, encouraging logins on the same device that holds the passkey, and closely monitoring for unusual QR code logins or new passkey enrollments. Furthermore, account recovery options should prioritize phishing-resistant methods, and login screens—especially for cross-device sign-ins—should display crucial details like location or device type, or issue clear warnings to help users identify suspicious activity. These findings underscore the critical need for adopting phishing-resistant authentication throughout an account’s entire lifecycle, including recovery phases, as a single point of vulnerability can compromise an entire identity infrastructure.
Reference:
