Vendor says it found flaws too
Security key specialist Yubico has been accused of taking credit – and the reward bounty – for a vulnerability disclosure first identified by other security specialists.
The company it claims it independently identified the issue.
The Sweden-founded, US-based company, recently profiled by Computer Business Review, sells popular universal two factor (U2F) authentification keys.
Earlier this year at the Offensive Con security conference in Berlin (as reported by Andy Greenberg in Wired) security researchers Markus Vervier and Michele Orrù demonstrated that U2F tokens like the Yubike could be circumvented.
The security researchers revealed that WebUSB could be used to pass U2F requests to the USB CCID interface on the YubiKey NEO, thereby bypassing the origin check of the browser and creating a potential security issue.
After revealing the vulnerability, Yubico got to work with Google to try and fix it.
In a blog post published yesterday, the company’s Jesper Johanssen said: “This year, Yubico worked with Google under responsible disclosure to address WebUSB vulnerabilies in Google Chrome that affected the entire ecosystem of FIDO U2F authenticators, manufactured by Yubico and well as other vendors.”
After giving a quick nod to Vervier and Orrù, an experienced browser security researcher, for the original disclosure, they wrote: “Our own researchers quickly discovered there was a broader set of security concerns within WebUSB that affected the entire ecosystem of FIDO U2F authenticators.”
“To help protect the U2F ecosystem, we disclosed these issues to Google in early March and worked closely with their engineering teams on a mitigation plan to address this issue and secure all U2F customers.”
For the research and disclosure, Google awarded Yubico a bug bounty of $5,000, which Yubico donated to charity Girls Who Code.
Universal Two Fingers?
The move left others less than impressed, least of all the original researchers.
Markus Vervier, chief of security at Red Team outfit X41 wrote on Twitter: “WTF, Yubico claims a reward based on our work even though we reported apprently reported [sic] HID access under Windows to Google before them?”
He added: “Now I know why @yubico was so keen on getting source code for our PoCs we have shown on @offensive_con . You replicated some of our findings without telling. You reported them to Google without telling us to claim 5k of bounty? What kind of move is this?”
Michele Orrù added: “You acted unprofessionally taking credits for research and work that isn’t yours. When @marver and me had a private chat with your CSO Jesper Johansson, he was begging us to get the source code of the exploit. We even sent demo videos because the Yubico team COULD NOT REPLICATE”.
Others chimed in. Daniel Cuthbert, Global Head of Cyber Security Research at BANCO SANTANDER, added: “Dear @Yubico we are customers and this lackadaisical approach to responsible disclosure and credit isn’t kosher. This is not how you welcome more looking at potential flaws in your products.”
Hey, We Independently Discovered This Stuff!
Yubico (which has been contacted for further comment by Computer Business Review), later updated its blog to add: “We were just made aware that the original researchers reported the Windows HID issue to Google around the same time we submitted it to Google.”
“We were not aware of this at the time, we independently discovered it while investigating the public CCID issue, and followed standard responsible disclosure practices by sending all our findings, including the Windows HID issue, only to the affected vendor in order to afford maximum protection for the ecosystem.”
Yubico’s security advisory is here.
Markus Vervier told Computer Business Review: “We can attack even more than just U2F with WebUSB. In the video you can see us accessing the SmartCard interface of a YubiKey with PGP via WebUSB. If we could have got a slot at DefCon or BlackHat this year, you would have seen a lot more!”