- Are simpler methods less secure?
- Many services consider magic links convenient
- Magic links are vulnerable — here is how it has been proven
- Zero-day vulnerability or phishing attack?
The crypto-custody startup Dfns has claimed that certain magic link services can be vulnerable for cyber threats. A magic link is a type of passwordless login used by many crypto wallets and apps. Dfns provides wallet services and is supported by such companies as White Star Capital, Susquehanna, Hashed, ABN AMRO, and Coinbase Ventures.
Are simpler methods less secure?
A magic link is a one-time-use code that allows users to log into their account. It is generated by an app or website and sent to a user in order to allow passwordless authentication. By clicking on a magic link, a user verifies their identity and logs in.
Magic links were initially popularized by Slack and other famous Web2 apps. Currently, they are very often used to log into crypto wallets. They offer an advantage of not having to remember complex keys or seed phrases anymore. Users are able to log in faster and simpler.
However, Dfns claims that magic links are implemented in different ways, which are often significantly less secure than other log-in methods.
Dfns classifies this as a zero-day vulnerability, which is so severe that magic links become toxic for developers. And since they are implemented by many apps, including ones beyond crypto, such as certain popular password managers, this vulnerability could “pose a considerable risk to a substantial portion of the global economy,” according to the Dfns statement.
Many services consider magic links convenient
Services using magic links seem to believe that the risks are less serious. They consider it a more benign, even if troublesome, type of phishing attack. Several popular wallet providers also complained that Dfns had warned them merely three days before announcing their findings, which is significantly less than is acceptable according to the traditional vulnerability disclosure standards. They also believe that Dfns is interested in bringing discredit to passwordless services, since its business model itself is based on protecting crypto passwords.
Even though some have questioned Dfns’ assessment of the situation, many agree that profit-obsessed crypto firms put convenience above security to attract customers.
“Back in the early 2000s, usernames and passwords were constantly compromised. But today we have two-factor authentication, OTP (one-time-passwords), and other more secure sign-in methods,” said Zhen Yu Yong, CEO and co-founder at Web3Auth, a company that offers a passwordless log-in service vulnerable to the exploit identified by Dfns. He added that the crypto industry “is very much still using single-factor seed phrases – single-factor authentication.”
Magic links are vulnerable — here is how it has been proven
Dr. Samer Fayssal, Chief Information Security Officer at Dfns, has conducted a demonstration over Zoom to show how someone can hack magic link services having only someone’s email address.
He used a new CoinDesk burner wallet to send a magic link that seemed quite legit since it came from the service’s actual email address. By clicking on it, he logged into the wallet.
However, when Fayssal clicked on the link, it turned out that CoinDesk had unintentionally provided him with full access to the wallet.
With two lawyers present to confirm that Dfns was not actually hacking CoinDesk, Dr. Fayssal agreed to try his method on another service using magic links.
In both cases, Dr. Fayssal and not CoinDesk initiated the log-in request that triggered a magic link email. If you receive a log-in email when you haven’t actually been trying to log into your account, this usually indicates a phishing attack even if the email appears legit.
Dr. Fayssal refused to comment on how he did it, saying that he didn’t want his secrets to be used by hackers. However, he added that he contacted over ten vulnerable companies and offered them to help with implementing protective measures.
He also recommended the customers who use magic link wallets to implement two-factor authentication ASAP.
CoinDesk reached out to three of the companies that use magic links according to Dfns. They confirmed the authenticity of Fayssal’s findings but insisted that calling this a “zero-day exploit” was a stretch.
The next day, Magic Labs, a company used in the Dfns demonstration, commented that it was no longer vulnerable.
“Magic Labs no longer has vulnerability to this type of phishing, and, to our knowledge, none of our end-users have been affected. We’re constantly evaluating and improving the security of our platform,” Sean Li, CEO and co-founder at Magic Labs, commented.
Zero-day vulnerability or phishing attack?
Web3Auth, another crypto wallet service, was also tested by Dfns. Its CEO Zhen Yu Yong has commented that this security issue cannot be considered a zero-day vulnerability because nothing happens unless the user clicks on the hacked link.
“We see this as a phishing attack. It’s similar to a phishing attack on MetaMask, where there’s a dapp that sends a malicious transaction, the user approves it, then the user might send their tokens to a malicious address or something,” Zhen Yu Yong said.
In order for such an attack to succeed, the user needs to see the email, click on the link before it expires, and trust a suspicious link enough to click on it even though they haven’t tried to log into the service. Fayssal has contradicted the latter by claiming that a hacker could treacherously time the link to the moment when a user might be expected to log in.
Zhen Yu Yong said that Web3Auth implements measures to prevent phishing, admitting that they were not enough to protect against the vulnerability discovered by Fayssal.
At least, magic link emails from Web3Auth include the IP address that initiated a log-in attempt. In Fayssal’s examples, the magic link came from a different IP address than CoinDesk’s. However, this is easy to overlook since the email came from Web3Auth’s address.
Yong said that his firm would introduce additional safeguards as a result of Fayssal’s findings.
Sequence, a web3 development platform that offers passwordless log-in services, said that it introduced protective measures to get rid of this newly discovered vulnerability. “For Sequence, I don’t think it’s as bad at all. But you know, yeah, for some other products, I think they could take additional measures,” commented Peter Kieltyka, CEO at Horizon Blockchain Games, the company that develops Sequence.
He added that Dfns is exaggerating the severity of the magic link vulnerability as a “marketing stunt.”
