Some necessary caveats: This kind of attack can only be pulled off in relatively narrow circumstances by a dedicated attacker. Segal said the user would need to have installed a malicious browser extension or be in transit and use public Wi-Fi where their traffic could be intercepted and decrypted through a MITM attack.
Well, okay. Maybe there’s something new here, but despite the many paragraphs of exposition, this sounds like exactly the sort of cookie stealing attack that’s been possible for decades.
Is the big breakthrough here that somebody realized FIDO doesn’t change that? Like, uh, no kidding? What’s new?
Yeah, this seems like old news - cookies can be stolen, and FIDO doesn’t change that unless you are prompting the hardware token for validation with every request (which isn’t feasible for most things, though might be a good idea for sensitive actions).