Yubico snatched my login token vulnerability to claim a $5k Google bug bounty, says bloke

Yubico has apologized to a security vulnerability researcher who had complained the dongle peddler lifted his work to nab a $5,000 Google bug bounty.

Over the weekend, Marcus Vervier described how he and fellow infosec bod Michele Orru discovered flaws that could be exploited by miscreants to steal people's two-factor authentication codes.

Basically, you can register a USB YubiKey from Yubico with, say, your Facebook.com account so that when logging into the social network, you type in your password, plug in your YubiKey and press a button on it, and successfully log in. If you, or a hacker, doesn't have the key, they can't get into your account.

The YubiKey only hands over a two-factor authentication token if it is satisfied the browser really is visiting facebook.com, using the U2F protocol to verify the identity of the requesting site.

Enter WebUSB, which allows websites to access USB devices. Vervier and Orru found they could craft webpages that masquerade as real sites, such as facebook.com, and could still read from YubiKey tokens. Such a malicious phishing site could therefore trick victims into handing over their Facebook username, password, and two-factor code, and log in as them to cause havoc.

The pair presented their research on the subject earlier this year at the OffensiveCon security conference – as seen in the video below. Vervier said that after their work was publicized, Yubico got in touch asking for more information.

Youtube Video

Fast forward to last week, when Yubico disclosed its own findings on exploiting WebUSB to steal codes, including the revelation that the company had reported the issue to Google's Chromium browser project – the core software of Google Chrome – and received a $5,000 bounty in return.

Yubico reported the security weakness to Google because Android and Chromium were particularly vulnerable, and Google shored up its software.

Here is where the problem arises. Vervier claims he and Orru also reported the issue to Google, but did not hear back. It appears Yubico beat them to it, tipping off Google after speaking to the duo but before the pair could formally disclose the vulnerability to the web giant.

Yubico claimed its disclosure expanded on their original work but did not specifically credit either Vervier or Orru.

"Yubico had internally replicated our work, contacted us to gather information about what we have not released so far, asked us for help to create a PoC [proof of concept exploit], but did not tell us anything about their intentions?" a clearly irritated Vervier wrote.

"Then went to Google, two days later submitting a comprehensive analysis of the research, claiming to have new original content and gaining a 5,000 USD bounty for this."

For what it's worth, the bounty payout was donated by Yubico to Girls Who Code, a decision Vervier supports. It's not about the money, but rather the lack of credit he says he and Orru were not given for their work by a major security vendor.

"I always believed in working with vendors to get issues fixed, but things like this makes you wonder why people hoarding exploits, doing full disclosure, or selling them have an apparently easy and prosperous life," Vervier said.

"On a professional level I never had any problems with work and research when being contracted to do security audits, expectations and responsibilities are clear. But as a private researcher it seems like being nice just means trouble."

Yubico, when contacted by The Register, admitted it messed up by not crediting the duo for their contributions. The Yubico write-up on the issue has since been updated to credit the researchers, and Yubico said it has apologized to both.

"Markus and Michele’s research provided a critical foundation, and we made a mistake by not clearly acknowledging them for their original research in our initial security advisory," Yubico said.

"We learned only on June 13, after we published our advisory, that Markus and Michele also discovered and reported HID issues to Google. We understand that better communication after the issue was fixed would have ensured that all parties were in sync, and will use this as an opportunity for improvement." ®