
Vendors, Disclosure, and a bit of WebUSB Madness - jwildeboer
http://pwnaccelerator.github.io/2018/webusb-yubico-disclosure.html
======
anfedorov
Was there some work-around I'm missing or did they literally go "yeah this
website can send anything to the YK device directly, waht could go wrong?".
Because the folks at Google Security are definitely smart and many orders of
magnitude more experienced than me, and that's a vuln even I can understand /
see the problem with so something institutional must have gone way wrong if
WebUSB shipped on the stable release without some kind of block-U2F-forgery
filter.

As far as Yubico, I get that they are doing something pretty hard in the
hardware / product-market-fit domains, and I respect that and I want them to
succeed, but they appear to be seriously dropping the ball on the software
part of their product [1], as well as "simplicity breeds security". They could
do so much better on the actual UI/UX if they piece-by-piece copied the setup
UX of a "smart" vacuum cleaner.

1\. I emailed & on-site support ticket submitted them days ago about some of
their certs having expired on 2017-05-10, and have gotten not a peep in
response & no fix in sight. Did nobody set a team calendar reminder and is
nobody responsible for checking it on a monthly / quarterly / at the very
least end-of-year cycle? That seems pretty elementary "underwear goes inside
the pants" kind of security competence.

[https://i.imgur.com/bOCfXJ2.png](https://i.imgur.com/bOCfXJ2.png)
[https://developers.yubico.com/yubikey-neo-
manager/Releases/y...](https://developers.yubico.com/yubikey-neo-
manager/Releases/yubikey-neo-manager-1.4.0-mac.pkg)

~~~
michaelt

      did they literally go "yeah this website can send
      anything to the YK device directly, waht could go wrong?".
    

WebUSB displays a prompt, albeit an uninformative one [1]. The idea is to
trick the user into enabling WebUSB when they think they're enabling U2F.

[1]
[https://developers.google.com/web/updates/images/2016-03-02-...](https://developers.google.com/web/updates/images/2016-03-02-access-
usb-devices-on-the-web/usb-device-chooser.png)

~~~
floatboth
Well that clearly doesn't look like a U2F prompt.

Of course U2F devices should be excluded from the list, and there should be
some warning text about "do not allow important devices on random websites",
but that doesn't seem like a huge deal.

~~~
michaelt

      Well that clearly doesn't look like a U2F prompt.
    

Thus downgrading U2F from "makes phishing impossible" to "relies on the user
taking care to spot phishing attempts"

~~~
josteink
So just like any other phishing attempt then. What did we gain again?

~~~
mehrdadn
Playing devil's advocate here (because I do agree this would be ridiculous but
I think this is worth pointing out), but you can never completely rule out
tricking the user. They could always download a file and run it to bypass the
browser or something. So the question really _is_ how easy it is to trick the
user here.

------
pdkl95
> We realized this is not limited to U2F / FIDO and developed a generic proxy
> that allows to forward any USB device exposed to WebUSB to a remote system.

 _~sigh~_

It's really depressing to learn that reality was _much worst_ than any of my
"this is going to end badly" predictions[1]. I originally thought[2] the
problems would start on the hardware side with devices that were never
designed for security. Forwarding everything with a proxy is _shockingly_
worse.

[1]
[https://news.ycombinator.com/item?id=11466197](https://news.ycombinator.com/item?id=11466197)

[2]
[https://news.ycombinator.com/item?id=11466415](https://news.ycombinator.com/item?id=11466415)

~~~
anfedorov
Aside from the "no HID" (does a YK even count as a HID if you turn off the
default slot 1 functionality?), was the proxy designed to have a firewall /
sandboxing of some sort? Google engineers have done some incredible things and
while ambitious, it seems this kind of thing is well within their reach.

------
mehrdadn
Ouch.

> Also there seems to be a kind of relationship between Google and Yubico that
> I would love to know more about.

I've gotten this impression too, though looking back, it may be because Google
suggests you Google for U2F, and every time I search for U2F I see Yubico.
Anyone know more about this?

~~~
kaendfinger
The real reason is Google buys YubiKeys enmasse from them for employee use
(every employee has one), and works with them closely on in various ways.

In fact, they were closely involved when developing the USB Type-C variant.

~~~
baybal2
Can you elaborate more on that? To my knowledge, it was the Intel, TI, Tyco,
STM quadriga who was responsible for the nearly complete standard of USB
Type-C, with software/consumer industry being given "eat or die" choice, with
Apple's engineers apparently actually trying to stall the standard release.

~~~
kaendfinger
If you meant to reply to my comment, Google is perhaps the largest deployer of
Yubico products, and that is where their collaboration holds the most weight.

If there is a security issue with YubiKeys, it puts Google's corporate systems
at risk.

~~~
baybal2
I was asking about Usb type c. To my knowledge, Apple, MS, and Google were
there just to give blessings on RFCs

------
geofft
> _Also there seems to be a kind of relationship between Google and Yubico
> that I would love to know more about._

Google and Yubico developed U2F, so....

Still, precisely because of this, I would say it's poor form for Google to
award Yubico a bug bounty relating to U2F (would they award a bug bounty to an
Android manufacturer for a kernel bug?).

It also seems like poor form for Yubico not to disclose their research when
asking about the same topic to another researcher, and poor form for Google to
be unwilling to award two bounties (this isn't the patent office,
acknowledging and even incentivizing multiple discovery is fine).

------
mtgx
WebUSB was an obviously bad idea right from the start, just like Web Bluetooth
was, both of which I believe were proposed by Google. It all comes from this
nonsense idea from Google that "all devices should be directly connected to
the internet" (and thus owned by botnets).

Mozilla team, if you're reading, please reject implementing or at least
enabling such APIs with extremely high-risk to the user by default in your
browser - "sandbox" or not.

~~~
taf2
How can you build applications on the web that use Bluetooth or USB devices
without these APIs? Here there is a lot of hate for web based applications but
I think this is because the web unlike native apps has a huge amount of
transparency that means we can have solid debate about the approaches and
solutions taken. In your closed source native app who knows what you chose for
security, tracking and anything else about your app is not transparent. I
always prefer web based applications over native. Native means I have far less
trust in the application. Is it even using tls for network requests? So many
things we can’t see in a native app.

~~~
michaelt

      How can you build applications on the web that use
      Bluetooth or USB devices without these APIs?
    

Same way you use mice, keyboards, sound cards, printers, webcams and so on: a
generic, secure interface supported by all device makers, OSes and browsers.

The whole benefit of web apps is they demand less trust because they're better
sandboxed. Poking holes in the sandbox (like WebUSB) makes web apps worse, not
better.

~~~
kilburn
Yeah, and if the powers that be (browser vendors) don't implement the generic
interface you need (e.g.: signature tablets, cash drawers, NFC readers, memory
card readers, etc.) then you:

a) Don't do it and pivot your company to doing something else.

b) Implement your own solution with companion native apps that build this
missing bridge. Out of public scrutiny and with many times less resources, but
hey: the browser is secure! ;)

------
WhatsName
This is what bugs me a lot, when it comes to bugbounties including HackerOne.
The absolute lack of accountability and transparency. One can only hope the
companies act in good faith. In my opinion this should rather be handled by an
independet organisaton like the CERT community or since it's a vital security
interest at state level. Though latter might be prone to conflicting interests
as well.

------
crunchlibrarian
I am starting to wonder how many breaches there have actually been of Google
user data, they are so secretive and insular it wouldn't surprise me in the
least if it has happened multiple times and was covered up.

In the future, as these mega corporations become even larger and more
powerful, brave employees who are willing to violate NDAs are the only source
of info we will have at all.

------
moepstar
If that account is true, this definitively has some "smell" to it...

------
curiousgal
> _To make it clear: I’m not after fame, credits, or want to take some bounty
> away from @girlswhocode!_

Why mention them then, if not to pressure them into refunding the donation?

~~~
philliphaydon
I assume to call them out. If someone pulls a dick move once and gets away
with it. They will do it again. If they get called out they will think twice
next time.

~~~
curiousgal
The charity had nothing to do with this. They didn't choose to be the
recipients of a 'stolen' bounty.

~~~
philliphaydon
I'm not sure where I mentioned charity?

I wrote an assumption based on what i read in the article.

