A new attack technique has been discovered, allowing the hacker group PoisonSeed to bypass the protection mechanism of the FIDO security key which is considered the “gold standard” in non-password authentication and anti-phishing today. The speciality of this technique lies not in exploiting the vulnerability in the FIDO protocol but in the way the attacker takes advantage of the legitimate feature: the cross-device sign-in mechanism.

The nature of the attack

The cross-device sign-in feature allows users to authenticate a login on one device (e. g., a desktop computer) using another device (such as a phone containing a FIDO key). This is a convenient method, but opens up a security blind spot in the context of users being unable to directly verify the domain that is requesting authentication.

The attack sequence is as follows:

1. The attacker sends a phishing email, luring the user to access a fake login gateway (e. g., Okta forgery).
2. The user enters a username and password into the fake page.
3. The login information is passed implicitly to the real login page.
4. The real login page responds by generating a QR code for inter-device authentication.
5. This QR code is passed back to the user on a fake interface.
6. When a user scans a QR code with a mobile authentication app, they have inadvertently authenticated a login session created by the attacker, resulting in account access being seized.

In essence, the user is authenticating a session that is not theirs, but still believes the process is legitimate.

Why is this technique so dangerous?

This is a typical example of downgrade authentication, which is downgrading the authentication process to a form that is easily manipulated, even though the technology is modern and safe.

Notable points:

• Penetrate the FIDO protection even though we’re not exploiting any technical vulnerabilities.
• Taking advantage of the legal feature is almost undetected by the surveillance system.
• When combined with the Adversary – in – the – Middle (AitM) model, attacks become more difficult to detect.
• The attacker can then assign his own FIDO key to the victim’s account, disabling the real user’s ability to recover it.

Up to now, there has been no specific record of organizations or users in Vietnam becoming victims of the campaign. However, the PoisonSeed attack group has deployed the technique on a global scale, leveraging CRM platforms and mass email systems to spread phishing links containing malicious QR codes.

Therefore, organizations in Vietnam, especially those using platforms such as Okta, Google Workspace, Microsoft 365 or having implemented FIDO keys, should actively monitor and assess risks.

Cybersecurity experts for organizations and businesses should also note:

1. Not only implement FIDO but also make sure to configure the correct authentication domain to avoid false authentication.
2. Restrict or disable inter-device login if not necessary, especially on sensitive accounts.
3. Train users to identify phishing via QR codes and fake emails with authentication instructions.
4. Set the alarm when a new FIDO key is added to the account.
5. Protecting your entire account life cycle, including the password recovery phase, is a common weakness.

WhiteHat’s point of view: This attack technique again shows that the security risk comes not only from software vulnerabilities but also from the way we design and use seemingly “innocent” features in our systems. The fact that a function such as inter-device login, which was designed to help users more conveniently, was used to bypass the FIDO key is a clear wake-up call.

For security professionals, this is a reminder to take a look at the entire authentication architecture, especially how users interact with it in real life. No matter how powerful a system is, it can be defeated if the user authenticates the wrong login session or if the support features themselves become “open”.

Monitoring behavior, responding quickly to irregularities, and questioning each feature is open to the user, which is never taken lightly.