It might look straightforward from the outside, but the responsible disclosure of security flaws is always a delicate process prone to misunderstanding.
Take Yubico, the company behind the Yubikey security token. Yubico has found itself drawn into a rare public spat over how credit was apportioned for the discovery of an important security flaw affecting products, including its own, based on the FIDO U2F authentication protocol.
On one side are researchers Markus Vervier and Michele Orrù, who believe the company has taken credit for findings that originated with their work.
On the other, Yubico, which credited the researchers in general terms but said its own staff extended the findings in a way that “builds on Markus’s and Michele’s original work.”
The flaw at the heart of the disagreement was caused by Google’s September 2017 introduction into the Chrome browser of the WebUSB API, a technology that allows websites to gain direct access to USB devices using JavaScript.
According to a presentation by Vervier and Orrù, given at a security conference in February, this offered a way of bypassing the U2F protocol’s origin check when communicating via the smartcard Chip Card Interface Device (CCID). (The bypass, since identified as CVE-2018-6125, affected several FIDO U2F token makers and was fixed when Google updated Chrome to version 67 at the end of May.)
The discovery was clearly theirs. However, only a minority of U2F tokens (for example the Yubikey Neo) use CCID, with the majority being based on the keyboard-oriented Human Interface Device (HID).
Crucially, according to Yubico, its own researchers later confirmed that HID was also affected by the flaw – information it passed to Google, resulting in a security advisory on March 2.
The researchers, meanwhile, believe they told Yubico’s Jesper Johansson about the involvement of HID in a call on the same day:
We showed Jesper our unreleased slides, PoCs, videos. We discussed the impact. We also told him we are still researching WebUSB and apparently WebUSB access to HID class devices seems to be possible.
They hadn’t expanded on the possible vulnerability of HID in their February public presentation because without a full understanding of the implications, “talking about this on a public conference would not have been ethical.”
Things remained quiet until last week when Yubico tweeted that it had been sent a bug bounty of $5,000 from Google for disclosing the flaw in U2F authenticators:
Following responsible disclosure practices, we recently discovered a WebUSB vulnerability in Chrome that affected the entire ecosystem of FIDO U2F authenticators, now fixed in Chrome 67. The bounty we received was donated to @GirlsWhoCode. Details here: https://t.co/sJlboP5kBC pic.twitter.com/l7eBfwEUZF
— Yubico | #YubiKey (@Yubico) June 13, 2018
An upset Vervier blogged a reply:
The credit given was ‘the researchers claimed’, no link, no names, nothing detailed mentioned. Instead the text was very keen on pointing out that our research was mistaken and Yubico got it right.
It seems that when Yubico learned of the U2F CCID bypass from a journalist on 27 February – before it spoke to the researchers – it began inhouse research on its possible wider implications.
In its view, while the original research prompted the analysis, the later work related to HID was its own.
A good day for responsible disclosure? Not particularly. However inadvertently this disagreement came about, the end result is a pair of unhappy researchers who on the face of it weren’t rewarded for their work with a share of the bug bounty.
Bug bounties are, more widely, a huge success, as the large sums being paid out for serious security flaws by large companies such as Google attests. However, this falling out underlines that it is, nevertheless, a system that thrives not only on good faith and fair credit, but the appearance of both too.
Update 20-06-2018
Yubico later issued a clarification which concluded:
Markus and Michele’s research provided a critical foundation, and we made a mistake by not clearly acknowledging them for their original research in our security advisory. We learned only on June 13, after we published our advisory, that Markus and Michele also discovered and reported HID issues to Google. We understand that better communication after the issue was fixed would have ensured that all parties were in sync, and will use this as an opportunity for improvement.
Leave a Reply