Too true, I'm irritated that Google continuously adds many new APIs to its platforms and web, where most of them are useless for me who mostly only need texts and images for web. After years of learning security here, I finally reached a conclusion that attack surface reduction is the most effective way to stop 0 days. So I disabled most of these unnecessary APIs. Does it means disabling WebUSB via flags doesn't work? Or is it just not considered as "easy way"?
I don't know. BTW I remember conversation on some Facebook programming-oriented group about Chrome/Chromium flags. Chrome has hundreds of flags and almost all are not considered seriously - they were coded semi-officially by Google engineers and then left without maintenance. Everybody should assume no guarantee of any backward-compatibility or even removal of flag without any warning.
If you can intercept the USB, of course you can effectively MiTM any U2F token. The irresponsible thing is to provide an interface in the browser that lets you do that - crazy. It's certainly no longer a browser with that, I'm fed up with "browsers" being wolves in sheep's clothing - think WebRTC and all that nonsense. Even with that MiTM, and the passwords, it's only any good for that session, or while the U2F token is plugged in - it wouldn't work elsewhere for example. My understanding is that there will be a more general w3c authentication API which subsumes U2F and nominally will allow - finally - proper native support by both FF and Chrome. The situation where it wasn't even a built-in part of Chrome, and marked as beta, is absurd. And hopefully that will remove any opening of intercepting USB responses.
Vendors browsers contradicts itself. On the one hand vendors put significant effort to secure browser against drive-by download attacks (built-in sandbox), recommend https/tls everywhere, but on the other hand they add a bunch of API features which can be exploited against user's privacy and security.
To update, on Windows Chrome 65 and the "PRE-RELEASE" U2F extension, and FF59.02 with u2f support enabled in about:config, the Yubico U2F demo site works fine, also on Linux. There are currently issues with running FF with sandboxie on windows, and with running either under firejail (am working on profiles for this now).
Yubico snatched my login token vulnerability to claim a $5k Google bug bounty, says bloke https://www.theregister.co.uk/2018/06/18/yubico_webusb_google_bounty/