Ethical Hacking News
Phishers have recently discovered a novel technique to exploit vulnerabilities in cross-device sign-ins and QR code processes to compromise the security of FIDO-protected accounts. A recent phishing campaign by the PoisonSeed attack group downgrades FIDO MFA by exploiting weaknesses in these processes, highlighting the need for organizations to review their authentication protocols.
Phishers have discovered a novel technique to bypass or downgrade FIDO multifactor authentication by exploiting vulnerabilities in cross-device sign-ins and QR code processes. The vulnerability was identified after an email phishing campaign tricked users into entering their valid usernames and passwords on a fake Okta login page. Phishers can downgrade the FIDO process to a weaker MFA method by exploiting vulnerabilities in cross-device sign-ins and QR code processes. The attack begins with an email that links to a fake login page from Okta, prompting users to enter their valid usernames and passwords. Had the targeted Okta MFA process followed FIDO requirements, the login would have failed due to issues with device connection and challenge signing.
Phishers have recently discovered a novel technique to bypass or, more accurately, downgrade FIDO (Fast Identity Online) multifactor authentication. The attack involves exploiting vulnerabilities in cross-device sign-ins and QR code processes to compromise the security of FIDO-protected accounts.
The vulnerability was identified by security firm Expel after analyzing an email phishing campaign that tricked users into entering their valid usernames and passwords on a fake Okta login page. A PoisonSeed team member, who is part of the attack group, then entered the credentials in real-time onto a genuine Okta login page. This compromised the user's account, granting access to sensitive documents, applications, and tools.
The FIDO spec was designed to mitigate precisely these sorts of scenarios by requiring users to provide an additional factor of authentication in the form of a security key or physical device. However, researchers have found that phishers can downgrade this process to a weaker MFA method, exploiting vulnerabilities in cross-device sign-ins and QR code processes.
The attack begins with an email that links to a fake login page from Okta, prompting users to enter their valid usernames and passwords. Once the user falls for the trap, the phishing group takes control of the account, capturing the QR code displayed on the genuine Okta login page. The user scans the QR code with their MFA authenticator, allowing the attackers to bypass the FIDO key's protections.
In this attack, Expel noted that the FIDO spec was designed to mitigate precisely these types of scenarios by requiring users to provide an additional factor of authentication in the form of a security key or physical device. However, researchers have found that phishers can downgrade this process to a weaker MFA method.
Had the targeted Okta MFA process followed FIDO requirements, the login would have failed for at least two reasons: first, the device providing the hybrid form of authentication would need to be physically close enough to the attacker device logging in for the two devices to connect over Bluetooth. Second, the challenge the hybrid device would have to sign would be bound to the domain of the fake site (okta[.]login-request[.]com) and not the genuine Okta.com domain.
The researchers at Expel concluded that this was a FIDO downgrade attack, rather than a bypass attack, as it exploited weaknesses in the cross-device sign-in process and QR code relaying mechanism. The security firm noted that this attack highlights the need for organizations to think carefully before allowing their FIDO-protected authentication processes to fall back to other forms of MFA.
In the meantime, end-users should take pains to use only FIDO-compliant forms of authentication. While the distinction between FIDO and non-FIDO methods may not be easy for some users, it is essential to understand that FIDO provides stronger security protections than traditional MFA methods.
Related Information:
https://www.ethicalhackingnews.com/articles/Exploiting-FIDO-MFA-A-Phishing-Attack-Downgrades-Security-Protocols-ehn.shtml
https://arstechnica.com/security/2025/07/no-phishers-are-not-bypassing-fido-mfa-at-least-not-yet-heres-why/
Published: Fri Jul 18 15:43:36 2025 by llama3.2 3B Q4_K_M
