[Webkit-unassigned] [Bug 271329] New: FIDO Credential Overwritten during Authentication

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 20 11:50:14 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=271329

            Bug ID: 271329
           Summary: FIDO Credential Overwritten during Authentication
           Product: WebKit
           Version: Safari 17
          Hardware: Mac (Intel)
                OS: macOS 14
            Status: NEW
          Severity: Major
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: will.smart at yubico.com

Created attachment 470448

  --> https://bugs.webkit.org/attachment.cgi?id=470448&action=review

A video showing the reproduction steps.

Safari on MacOS 14.4 seems to overwrite an existing credential on a FIDO2 security key during an authentication ceremony under certain circumstances.  This generally presents itself when a credential is registered, the key is unplugged, and then the key is plugged in again to authenticate. Steps below shown with Safari, but this is also reproduced similarly with Firefox 123.

While the exact symptoms vary between security keys from different manufacturers, this issue doesn't seem to be limited to a single manufacturer.  Steps below completed with a YubiKey 5 with Firmware 5.4.3.

Steps to reproduce: 

1. Reset a security key so that it is in the default state. 
2. Navigate to any website that uses WebAuthn, like webauthn.io.  
3. Insert a security key.
4. Register a credential, it seems most reliable to repro by only changing attachments=cross-platform
5. Next authenticate with the security key, note that authentication is successful.
6. Remove the security key.  
7. Go to another device to prove that the credential exists on the security key. 
  a. Example: go to a Windows device to webauthn.io and authenticate with the security key
  b. Success
8. Go back to webauthn.io using Safari on macOS and authenticate. 
9. Plug in the security key, the key may act unresponsive and instead of blinking will stay lit up for 15 seconds.
10. Cancel the webauthn request. 
11. Authenticate again.
12. The user will see the error message “No Credentials Found”
13. Go back to Windows device to webauthn.io and authenticate with the security key. 
The user sees “The security doesn’t look familiar. Please try a different one”

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240320/b9527415/attachment.htm>

More information about the webkit-unassigned mailing list