FIDO Key Exploitation by PoisonSeed Hackers

Cybersecurity researchers have revealed a new attack method used by the PoisonSeed group, allowing them to bypass Fast IDentity Online (FIDO) key protections by tricking users into approving authentication requests from fake company login portals.

FIDO Key Exploitation by PoisonSeed HackersFIDO Key Exploitation by PoisonSeed Hackers

FIDO keys are designed to prevent phishing by binding logins to specific domains through public-private key cryptography. However, attackers exploit the legitimate cross-device sign-in feature to deceive victims into authenticating malicious sessions.

FIDO Key Exploitation by PoisonSeed HackersFIDO Key Exploitation by PoisonSeed Hackers

The attack begins with a phishing email that directs users to a counterfeit sign-in page mimicking an enterprise's Okta portal. After entering their credentials, the phishing site relays this information to the real login page. The site then generates a QR code for authentication, which, when scanned by the victim, grants attackers unauthorized access.

This technique specifically targets users who authenticate via cross-device flows without strict proximity checks. While FIDO2 aims to resist phishing, the misuse of its hybrid transport feature can create vulnerabilities.