A missing user presence check in webauthn-framework allows an attacker with remote access to a system to use an attached FIDO authenticator to login to a vulnerable service without physically pressing a button. The vulnerabilitiy has been assigned CVE-2021-38299. The behavior has been fixed in webauthn-framework 3.3.4. Applications should use the updated version of the library.
The full report is available for download here.
We have published a detailed explanation of the vulnerability in this article.
Permalink to this entry: https://url.fzi.de/en-vuln-webauthn