Phishing is a major concern if you live a lot of your life on the internet. There are plenty of ways to protect against phishing attacks with software, but one of the best methods is hardware USB keys. An authentication device can protect you even if the attacker has your username and password. At least that’s what they’ll tell you. A pair of researchers proved that these devices are not invincible. A feature in Chrome called WebUSB made it possible to bypass the protections.
WebUSB is a feature that allows websites to directly connect to USB devices; it was added in Chrome 61. Attackers can use the feature with an accompanying website to convince someone to type in their username and password and send it directly to the authentication device to unlock the account. Obviously, which Chrome being the most popular browser on the planet, this is a pretty serious vulnerability.
When asked about it, Google’s security product manager said they are aware of the situation. They consider this type of attack to be an edge case, but they are working to fix the problem. For the time being, Google has disabled the WebUSB feature entirely. This was discovered in Chromium just yesterday. Users can apply a command line flag if they really want to re-enable the feature. For now, the problem has been solved by removing the moving parts.