“Magic Links” Vulnerability: Crypto Wallet Firm Dfns Reveals Involved Risks
Dfns, a crypto wallet provider backed by Coinbase Ventures, White Star Capital, Hashed, ABN AMRO, and Susquehanna, has warned of a critical flaw in certain “magic links” passwordless sign-in methods. An increasing number of crypto wallets and web applications utilize this method.
Magic links, utilized by services such as Slack and other popular Web2 programs, have become a popular way to log into crypto wallets without remembering a complex key or seed phrase. They are advertised as a convenient, more secure sign-in method.
However, Dfns is pointing out that the security of magic links, which can be implemented differently for each application, is often far less secure than more traditional authentication methods. Dfns has classified the flaw as a “zero day” exploit – so hazardous that it renders magic links perilous for software designers.
Due to the widespread use of magic links beyond cryptocurrency wallets (they’re employed by various renowned password managers, for instance), Dfns declared that the weakness could “present a danger to a significant part of the worldwide economy.”
Several popular wallets expressed anger that they had only three days’ warning before the findings were public, much shorter than the accepted standard for disclosing vulnerabilities.
Despite these advances, the cryptocurrency industry still relies on single-factor seed phrases for authentication, which is vulnerable to the exploit detected by Dfns.
Attack Investigation: Zero-Day Or Phishing Attempt?
According to Web3Auth’s Yong, the magic link vulnerability demonstrated by Dfns is not a “zero day” exploit because it requires the user to click on a hijacked link. According to Yong, this was more like a phishing attack, similar to when a malicious dapp sends a transaction to a user who then approves it, possibly leading to the sending of tokens to a malicious address.
If the user overlooks the phishing email, clicks on the link after the validity expires, or is suspicious of being sent a link without attempting to log in, the magic link attack will fail. Fayssal suggests that an attacker could time the link to arrive when the user would be likely to access the target service for maximum effect.
Yong further said that Web3Auth has defense mechanisms to protect against phishing, although he confessed that these were not enough to protect against Fayssal’s loophole. Nonetheless, Web3Auth does have a text at the end of its magic link emails that states the IP address of the sign-in request.
Peter Kieltyka, CEO of Horizon, the company that produces Sequence, a Web3 development platform that provides a passwordless crypto wallet, announced the implementation of extra anti-phishing measures in light of Fayssal’s investigation.
He also suggested that other organizations may need to take more measures to protect against the vulnerability highlighted by Dfns. He suggested that Dfns had exaggerated the problem’s seriousness as a “marketing ploy.”
Tokenhell produces content exposure for over 5,000 crypto companies and you can be one of them too! Contact at info@tokenhell.com if you have any questions. Cryptocurrencies are highly volatile, conduct your own research before making any investment decisions. Some of the posts on this website are guest posts or paid posts that are not written by Tokenhell authors (namely Crypto Cable , Sponsored Articles and Press Release content) and the views expressed in these types of posts do not reflect the views of this website. Tokenhell is not responsible for the content, accuracy, quality, advertising, products or any other content or banners (ad space) posted on the site. Read full terms and conditions / disclaimer.
