There are three weaknesses in Brave's FIDO U2F implementation. At first, u2f.register() can be executed from cross-origin subframe by invoking U2F.postMessage directly Second issue - FIDO related modals show the name of top frame origin (but not caller subframe) Third issue - The version parameter sent from the above postMessage is embedded in an evaluateJavaScript without escape The combination of these weaknesses allows cross-domain subframe to inject any JavaScript code to the top frame through fake U2F registration process.