Ethical Hacking News
Threat actors have successfully bypassed the security features of FIDO2 MFA protocols using a sophisticated phishing campaign known as PoisonSeed, which exploits legitimate features within WebAuthn to trick users into approving login authentication requests from fake company portals. This poses a significant threat to online user accounts and highlights the ongoing need for proactive measures to mitigate risk.
The PoisonSeed phishing campaign bypasses FIDO2 MFA security by exploiting a legitimate feature within WebAuthn. The attack tricks users into approving login authentication requests from fake company portals using a vulnerability in cross-device sign-in features. The attackers use an adversary-in-the-middle (AiTM) backend to silently log in with submitted credentials on the legitimate login portal. The attack exploits cross-device authentication, bypassing FIDO2 security key protections and relying on QR codes for authentication approval. Several defenses can help prevent this type of attack, including limiting geographic locations and enforcing Bluetooth-based authentication as a requirement for cross-device authentication.
Threat actors have been found to be employing a sophisticated phishing campaign known as PoisonSeed, which has been successfully bypassing the security features of FIDO2 multi-factor authentication (MFA) protocols. The attack vector utilizes a legitimate feature within WebAuthn to trick users into approving login authentication requests from fake company portals. This poses a significant threat to the security and integrity of online user accounts.
In recent years, FIDO2 has become an industry standard for MFA, offering enhanced security features compared to traditional password-based authentication methods. However, despite its advantages, FIDO2 is not immune to exploitation by sophisticated threat actors. The PoisonSeed campaign leverages a vulnerability in the cross-device sign-in feature of WebAuthn, which allows users to authenticate on one device using a security key or authentication app on another device.
This attack begins with directing users to a phishing site that impersonates corporate login portals, such as Okta or Microsoft 365. Once the user enters their credentials into the portal, the campaign uses an adversary-in-the-middle (AiTM) backend to silently log in with the submitted credentials on the legitimate login portal in real-time. The user typically would use their FIDO2 security keys to verify multi-factor authentication requests; however, the phishing backend instead tells the legitimate portal to authenticate using cross-device authentication.
This results in the legitimate portal generating a QR code that is transmitted back to the phishing page and displayed to the user. When the user scans this QR code using their smartphone or authentication app, it approves the login attempt initiated by the attacker. The method employed by the PoisonSeed attackers effectively bypasses FIDO2 security key protections by allowing them to initiate a login flow that relies on cross-device authentication instead of the user's physical FIDO2 key.
The use of cross-device authentication in this attack exploits a legitimate feature within WebAuthn, rather than exploiting a flaw in the FIDO2 implementation itself. This has significant implications for organizations and individuals relying on FIDO2-based MFA solutions. As such, it is crucial to be aware of the PoisonSeed phishing campaign and take proactive measures to mitigate the risk.
According to security firm Expel, several defenses can help prevent this type of attack. These include limiting geographic locations from which users are allowed to log in, establishing a registration process for individuals traveling, regularly checking for the registration of unknown FIDO keys from unknown locations, and uncommon security key brands. Additionally, organizations may consider enforcing Bluetooth-based authentication as a requirement for cross-device authentication, significantly reducing the effectiveness of remote phishing attacks.
Furthermore, Expel observed an incident where a threat actor registered their own FIDO key after compromising an account via what is believed to be phishing and resetting the password. However, this attack did not require any methods to trick the user, such as a QR code. This highlights how threat actors are finding ways to bypass phishing-resistant authentication by exploiting legitimate features within existing MFA protocols.
The PoisonSeed phishing campaign serves as a stark reminder of the ongoing cat-and-mouse game between security professionals and sophisticated threat actors. As technology advances, so too must our defenses against these threats. By staying informed about emerging attack vectors and implementing proactive measures to mitigate risk, organizations can safeguard their users' sensitive information and protect themselves against the evolving threat landscape.
In conclusion, the PoisonSeed phishing campaign poses a significant threat to FIDO2 MFA security by exploiting legitimate features within WebAuthn to trick users into approving login authentication requests from fake company portals. By understanding this attack vector and taking proactive measures to mitigate risk, organizations can safeguard their users' sensitive information and protect themselves against emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-PoisonSeed-Phishing-Campaign-A-Threat-to-FIDO2-MFA-Security-ehn.shtml
https://www.bleepingcomputer.com/news/security/threat-actors-downgrade-fido2-mfa-auth-in-poisonseed-phishing-attack/
Published: Sat Jul 19 13:50:46 2025 by llama3.2 3B Q4_K_M
