Crypto Wallet Firm Dfns Says ‘Magic Links’ Have Critical Vulnerability
Some magic links – a passwordless sign-in method embraced by a growing number of crypto wallets and web apps – have a critical vulnerability, according to the crypto wallet startup Dfns.
Dfns is a company that offers wallet services, backed by firms like White Star Capital, Hashed, Susquehanna, Coinbase Ventures and ABN AMRO.
A magic link is a unique, one-time-use URL that is generated by a website or app to authenticate a user without requiring them to enter a password. When the user clicks on a magic link sent to them by the web app, it verifies their identity and logs them into their account.
Initially spearheaded by Slack and other popular “Web2” apps, magic links have become an increasingly common sign-in method for crypto wallets. Instead of requiring users to remember a complex key or seed phrase, magic links are promoted as a quicker, simpler and safer way to log in.
But Dfns says magic links – which can be implemented differently from app to app – are often vastly less secure than more traditional sign-in methods.
Dfns categorizes the vulnerability it discovered as a “zero day” exploit – so severe as to essentially render magic links toxic for developers. Given the ubiquity of magic links beyond just crypto wallets (they’re used by some popular password managers, for example), Dfns said in a statement that the vulnerability could “pose a considerable risk to a substantial portion of the global economy.”
Services impacted by the vulnerability, however, significantly downplayed its risk to CoinDesk, calling it a more benign – albeit still worrisome – breed of phishing attack. Multiple popular wallets, moreover, complained that Dfns gave them as little as three days’ notice before rushing to publicize their findings, well short of commonly accepted standards for vulnerability disclosure. They added, moreover, that Dfns has a vested interest in disparaging passwordless wallet services; Dfns’s business model involves safeguarding crypto passwords for its customers.
While not everyone agreed with Dfns’ characterization of the severity of its findings, individuals who spoke to CoinDesk noted that the findings did highlight how some growth-obsessed cryptocurrency companies have prioritized convenience over security in a bid to attract users.
“Back in the early 2000s, usernames and passwords were constantly compromised. But today we have two-factor authentication, OTP (one-time-passwords),” and other more secure sign-in methods, Web3Auth CEO Zhen Yu Yong told CoinDesk (Web3Auth offers a paswordless sign-in service that was vulnerable to the Dfns-discovered exploit). The crypto industry “is very much still using single-factor seed phrases – single-factor authentication.”
Hijacking magic links
In a demonstration over Zoom, Dfns Chief Information Security Officer (CISO) Dr. Samer Fayssal showed how a hacker can hijack popular “magic link” crypto wallet services using just a user’s email address.
Using a fresh CoinDesk burner wallet as a test dummy, Faysall demonstrated how a hacker could send a magic link that appeared (and was, in a sense) genuine. The link came from the wallet service’s real email address and clicking on it logged into the CoinDesk burner wallet.
But when Fayssal shared his screen, he showed that by clicking on the link, CoinDesk had inadvertently given him full access to its wallet.
With two Dnfs lawyers on the line (apparently to attest to the fact that Dfns was not actually hacking CoinDesk), Fayssal agreed to repeat his attack on another passwordless crypto wallet service.
In both of his demonstrations, Fayssal – not CoinDesk – initiated the sign-in request that triggered a magic link email. If a user receives a log-in email without actually trying to log into a service, this is typically a phishing red flag – even if the email appears completely authentic.
Fayssal would not explain how he pulled the attacks off, telling CoinDesk that he didn’t want his methods to get into the wrong hands. He said, however, that he has personally reached out to more than a dozen companies he believes are vulnerable to the exploit and has offered to help them implement safeguards.
As for users of magic link wallets, “the advice I would give users is to implement two-factor authentication as soon as possible, if possible,” said Fayssal.
CoinDesk spoke with three of the crypto companies that Dfns identified as users of magic links. All of them confirmed that Fayssal’s findings were authentic, but they all said Dfns was overplaying its hand by calling the attack a “zero day.”
Magic Labs, one of the companies Dfns used in its demo, said a day later it was no longer vulnerable.
“Magic Labs no longer has vulnerability to this type of phishing, and, to our knowledge, none of our end-users have been affected,” said Sean Li, CEO of Magic Labs. “We’re constantly evaluating and improving the security of our platform.”
Zero day or phishing attack?
Web3Auth was the other crypto wallet service that Dfns used to demonstrate the magic link vulnerability to CoinDesk. In the opinion of Web3Auth’s Yong, the magic link vulnerability doesn’t qualify as a more severe “zero day” exploit because the user needs to click on a hijacked magic link in order for it to work.
“We see this as a phishing attack,” Yong told CoinDesk. “It’s similar to a phishing attack on MetaMask, where there’s a dApp [decentralized app] that sends a malicious transaction, the user approves it, then the user might send their tokens to a malicious address or something.”
The magic link attack fails if the user misses the hijacked email, clicks on the link after it expires, or finds it suspicious that they’d been sent a magic link when they hadn’t tried to log in. (As to this last point, Fayssal says that an attacker could strategically time the link to arrive around when a user might be expected to log into the target service).
Yong told CoinDesk that Web3Auth has safeguards to prevent phishing, though he admitted that these safeguards weren’t enough to fend against Fayssal’s vulnerability.
To Web3Auth’s credit, however, the firm has text at the bottom of its magic link emails specifying the IP address that initiated a sign-in attempt. In Fayssal’s demonstration, his hijacked magic link came from a different IP address than CoinDesk’s – an easy-to-miss hint that the link was fraudulent even though the email came directly from Web3Auth.
Yong said Web3Auth would implement additional anti-phishing methods in light of Fayssal’s research.
Sequence, a web3 development platform that offers a passwordless crypto wallet, told CoinDesk that it put safeguards in place that rendered the Dfns-discovered vulnerability ineffective. “For Sequence, I don’t think it’s as bad at all,” said Peter Kieltyka, CEO at Horizon, the company that builds Sequence. “But you know, yeah, for some other products, I think they could take additional measures.”
Peter accused Dfns of exaggerating the severity of the magic link vulnerability as a “marketing stunt.”