So @Yubico releases an advisory that is:
1. based on our work
2. does not give any credit besides "the researchers"
3. apparently applies a bounty for a replication of our work on March 5 (according to the advisory)https://www.yubico.com/support/security-advisories/ysa-2018-02/ …
the advisory refers to your offensivecon talk from before that date: "2018-02-16 Researchers give a talk at offensive-con about how they were able to generate an assertion from a YubiKey Neo using WebUSB over smart-card interface. 2018-02-27 Yubico was notified [...]"
-
-
Without link and names (but that's not my main issue). We talked to their CISO before, they did not involve us. Instead reported HID access on Windows on March 5th (according to the advisory), we reported that in Chromium issue 818472 on March 3rd...it's wrong on multiple levels.
-
It gets even better, we showed this also in our
@offensivecon talk and also again in a private call with the@Yubico CISO: "For instance, Yubico was able to use it to obtain a PGP signature from a PGP enabled YubiKey over WebUSB." (from the advisory)..
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.