Scammers Discover Method to Bypass FIDO Multi-Factor Authentication

📟 News

Date: 22/07/2025

Operators of the phishing campaign PoisonSeed have found a method to bypass FIDO (in this case — FIDO2 with WebAuthn) by exploiting the authentication mechanism between devices implemented in WebAuthn. The attackers deceive victims into approving login requests that originate from fake corporate portals.

Recall that the PoisonSeed campaign is based on phishing, with the ultimate goal of financial fraud. In the past, attackers hacked corporate accounts for email marketing and sent users emails containing pre-made seed phrases for cryptocurrency wallets.

In new attacks observed by experts from the company Expel, attackers do not exploit vulnerabilities in FIDO mechanisms; instead, they abuse a legitimate cross-device authentication feature.

This WebAuthn feature allows a user to authenticate on one device using a security key or authenticator app on another. Instead of physically connecting the key (for example, via USB), the authentication request is transmitted via Bluetooth or through a QR code.

The new PoisonSeed attacks begin by redirecting the victim to a phishing site that mimics a corporate portal for logging into Okta or Microsoft 365. After the victim enters their credentials, the phishing infrastructure uses this information in real-time to log into the actual portal.

In a typical situation, the victim would need to verify the login using their FIDO key. However, in this scheme, the phishing server initiates the login through a mechanism for logging in from another device. As a result, the real portal generates a QR code, which is then passed to the phishing page and displayed to the victim.

When a user scans this QR code with their smartphone or authenticator app, essentially, they are approving a login initiated by the attackers. This allows bypassing FIDO protection by switching to cross-device authentication, which does not require physical key connection and can be approved remotely.

Researchers emphasize that the attack does not exploit any vulnerabilities in FIDO. Instead, the attackers misuse a standard feature that allows them to downgrade the level of protection.

To protect against such attacks, experts advise:

  • limit geographical regions from which system access is allowed and implement a registration procedure for employees on business trips;
  • regularly review the registration of new FIDO keys from unusual geolocations or from less-known manufacturers;
  • whenever possible, require employees to use Bluetooth for inter-device authentication, which reduces the risk of remote attacks.

In their report, analysts at Expel describe another incident where an attacker registered their own FIDO key after compromising the victim’s account (presumably, through phishing). In this case, it wasn’t even necessary to spoof a QR code or interact with the victim — the login was completed entirely on the attacker’s side.

This case highlights that even phishing-resistant authentication methods can be bypassed if the user can be convinced to complete the login procedure without physical interaction with the key.

Related posts:
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder

According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…

Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack

Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…

Full article →
2025.03.16 — Researchers force DeepSeek to write malware

According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…

Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet

All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…

Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates

The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…

Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin

Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…

Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks

OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign

According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…

Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud

Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…

Full article →