This reports a vulnerability that allows a malicious entity to takeover accounts secured with FIDO2/ Passkeys
This was discussed with W3C WebAuthn contributors: w3c/webauthn#1965
- When a legitimate user goes to authenticate to a Relying Party, the RP generates a
publicKeyobject containing a random challenge andrpIdand sends it to the browser of the user. - The browser calls the
navigator.credentials.get()function which passes thepublicKeyobject to a Security Key or Trusted platform module over CTAP. - The browser (in case of Linux systems browser-based implementation of WebAuthn) or the system (in case of Windows using webauthn.dll) generates a prompt for the user to take action on the authenticator. This action may include giving fingerprint, entering a pin or just touching the authenticator.
- The authenticator signs the challenge with the private key of keypair previously stored in it generates an
AuthenticatorAssertionResponse - The RP server verifies it with a previously saved public key to authenticate the user.
The attack allows an attacker to prompt a user to complete a legitimate WebAuthn/FIDO authentication action. Once the user interacts with the FIDO authenticator (such as a security key or biometric device), the attacker, through malware installed on the system, takes control of the session. This occurs due to weaknesses in how the protocol handles authentication challenges and the interaction with underlying operating system components. The attacker can then exploit the session, bypassing the intended security protections and gaining unauthorized access to sensitive accounts.
- Malware installation: The malware is installed on the victim's system. This could be done through phishing, social-engineering or drive-by downloads. The package may be a part of existing trojan or an independent malware. It can be set to start on boot and home for the C2 servers. (This malware does not need elevated privileges.)
- C2 initialization: The malicious actor has control of a C2 server which may be reached by the malware. The C2 server only needs to exchange binaries or Base64 encoded text files and hence, does not need to be a sophisticated server. Even social media (Telegram, Discord, etc.) bots, email clients or other cloud file storage clients like AWS S3 may be used as the C2 server.
- Attack Initialization: The attacker uses their web browser with an extension or any other web-proxy like Burpsuite to get the
publicKeyobject. The same is encoded to Base64 and sent to the C2 server. The C2 forwards it to the malware running on the victim's machine. - Prompting: The malware communicates with webauthn.dll for Windows or uses its own implementation for Linux to use CTAP and sends the
publicKeyobject to the authenticator. The system prompts the user for action - Post action: The malware gets the
AuthenticatorAssertionResponseand sends it back to the C2 server. - Attack completion: The malicious actor can now use this response to complete the authentication on behalf of the user.
- Exploitation: On completion, the authentication is bypassed and the malicious actor is successfully able to authenticate as the victim.
- The vulnerability stems from improper handling of authentication interaction by the OS which allows the malware to open the authenticator by spoofing the RP ID.
- The vulnerability affects all implementations following the WebAuthn / FIDO protocols and has been tested on Windows and Linux.
- The malware acts as an intermediary between the user and the RP, leveraging weak points in invoking the authenticator.
- Sample code can be found here https://github.com/AdityaMitra5102/fidovulntest
- Demo can be found here https://youtu.be/Lh45VzZqQ60