Crypto Wallet Firm Dfns Says “Magic Links” Has Critical Vulnerability

Some Magic Links — a passwordless login method embraced by a growing number of crypto wallets and web apps — have a critical vulnerability, according to crypto wallet startup Dfns.

A magic link is a unique, one-time URL generated by a website or app to authenticate a user without requiring them to enter a password. When the user clicks on a magic link sent to them by the web app, it verifies their identity and logs them into their account.

Originally pioneered by Slack and other popular “Web2” apps, magic links have become an increasingly common login method for crypto wallets. Instead of requiring users to remember a complex key or seed phrase, magic links are promoted as a faster, easier, and more secure way to log in.

But Dfns says that magic links – which can be implemented differently from app to app – are often much less secure than more traditional login methods.

Dfns categorizes the vulnerability it discovered as a “zero day” exploit – so severe that it essentially makes magic links toxic for developers. Given the ubiquity of magic links beyond just crypto-wallets (they are used by some popular password managers, for example), Dfns said in a statement that the vulnerability could “pose a significant risk to a significant part of the global economy.”

However, services affected by the vulnerability significantly downplayed the risk to CoinDesk, calling it a more benign — if still worrisome — type of phishing attack. Moreover, several popular wallets complained that Dfns gave them as little as three days’ notice before rushing to publish their findings, far from the generally accepted standards of vulnerability disclosure. They also added that Dfns has a vested interest in denigrating passwordless wallet services; Dfns’ business model involves securing crypto passwords for its customers.

While not everyone agreed with Dfn’s characterization of the severity of the findings, individuals who spoke to CoinDesk noted that the findings highlighted how some growth-obsessed cryptocurrency companies have prioritized convenience over security in an effort to attract users.

“Back in the early 2000s, usernames and passwords were constantly being compromised. But today we have two-factor authentication, OTP (one-time password),” and other more secure login methods, Web3Auth CEO Zhen Yu Yong told CoinDesk (Web3Auth offers a passwordless login service that was vulnerable to the Dfns-discovered exploit). The crypto industry “largely still uses single-factor seed phrases – single-factor authentication.”

In a demonstration over Zoom, Dfn’s Chief Information Security Officer (CISO) Dr. Samer Fayssal showed how a hacker can hijack popular “magic link” crypto wallet services using just a user’s email address.

Using a recent CoinDesk burner wallet as a test dummy, Faysall demonstrated how a hacker could send a magical link that appeared (and sort of was) real. The link came from the wallet service’s real email address and clicking on it logged you into the CoinDesk burner wallet.

But when Fayssal shared his screen, he showed that by clicking the link, CoinDesk had inadvertently given him full access to the wallet.

With two Dnfs lawyers on the line (ostensibly to confirm the fact that Dfns did not actually hack CoinDesk), Fayssal agreed to repeat his attack on another passwordless crypto wallet service.

In both of his demonstrations, Fayssal—not CoinDesk—initiated the login request that triggered a magic link email. If a user receives a login email without actually trying to sign in to a service, this is usually a red flag for phishing – even if the email seems completely authentic.

Fayssal would not explain how he managed the attacks, telling CoinDesk that he did not want his methods to fall into the wrong hands. However, he said he has personally contacted more than a dozen companies he believes are vulnerable to the exploit and has offered to help them implement security measures.

As for Magic Link users, “the advice I would give users is to implement two-factor authentication as soon as possible, if possible,” Fayssal said.

CoinDesk spoke with three of the crypto companies that Dfns identified as users of magic links. All confirmed that Fayssal’s findings were authentic, but they all said that the Defense overplayed its hand by calling the attack a “zero day”.

Magic Labs, one of the companies Dfns used in its demo, said a day later that it was no longer vulnerable.

“Magic Labs is no longer vulnerable to this type of phishing, and as far as we know, none of our end users have been affected,” said Sean Li, CEO of Magic Labs. “We are continuously evaluating and improving the security of our platform.”

Web3Auth was the second crypto wallet service that Dfns used to demonstrate the magic link vulnerability to CoinDesk. In Web3Auth’s Yong’s opinion, the magic link vulnerability does not qualify as a more serious “zero day” exploit because the user must click on a hijacked magic link for it to work.

“We view this as a phishing attack,” Yong told CoinDesk. “It’s similar to a phishing attack on MetaMask, where it’s a dApp [decentralized app] that sends a malicious transaction, the user approves it, then the user can send their tokens to a malicious address or something.”

The magic link attack fails if the user misses the hijacked email, clicks the link after it expires, or finds it suspicious that they were sent a magic link when they hadn’t tried to log in. (Regarding this last point. , Fayssal says that an attacker can strategically time the link to arrive when a user might be expected to log on to the target service).

Yong told CoinDesk that Web3Auth has security measures in place to prevent phishing, although he admitted that those security measures were not enough to avert Fayssal’s vulnerability.

However, to Web3Auth’s credit, the company includes text at the bottom of the emails with magic links that specify the IP address that initiated a login attempt. In Fayssal’s demonstration, his hijacked magic link came from a different IP address than CoinDesk’s — an easy-to-miss hint that the link was fraudulent even if the email came directly from Web3Auth.

Yong said Web3Auth would implement more anti-phishing methods in light of Fayssal’s research.

Sequence, a web3 development platform that offers a passwordless crypto wallet, told CoinDesk that it put security measures in place that rendered the Dfns-discovered vulnerability ineffective. “For Sequence, I don’t think it’s as bad at all,” said Peter Kieltyka, CEO of Horizon, the company that builds Sequence. “But you know, yes, for some other products, I think they may take additional measures.”

Peter accused Dfns of exaggerating the severity of the magic link vulnerability as a “marketing stunt.”

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *