“Magic Links” Vulnerability: Crypto Wallet Firm Dfns Reveals Involved Risks
Dfns, a crypto wallet provider backed by Coinbase Ventures, White Star Capital, Hashed, ABN AMRO, and Susquehanna, has warned of a critical flaw in certain “magic links” passwordless sign-in methods. An increasing number of crypto wallets and web applications utilize this method.
Magic links, utilized by services such as Slack and other popular Web2 programs, have become a popular way to log into crypto wallets without remembering a complex key or seed phrase. They are advertised as a convenient, more secure sign-in method.
However, Dfns is pointing out that the security of magic links, which can be implemented differently for each application, is often far less secure than more traditional authentication methods. Dfns has classified the flaw as a “zero day” exploit – so hazardous that it renders magic links perilous for software designers.
Due to the widespread use of magic links beyond cryptocurrency wallets (they’re employed by various renowned password managers, for instance), Dfns declared that the weakness could “present a danger to a significant part of the worldwide economy.”
Several popular wallets expressed anger that they had only three days’ warning before the findings were public, much shorter than the accepted standard for disclosing vulnerabilities.
Despite these advances, the cryptocurrency industry still relies on single-factor seed phrases for authentication, which is vulnerable to the exploit detected by Dfns.
Attack Investigation: Zero-Day Or Phishing Attempt?
According to Web3Auth’s Yong, the magic link vulnerability demonstrated by Dfns is not a “zero day” exploit because it requires the user to click on a hijacked link. According to Yong, this was more like a phishing attack, similar to when a malicious dapp sends a transaction to a user who then approves it, possibly leading to the sending of tokens to a malicious address.
If the user overlooks the phishing email, clicks on the link after the validity expires, or is suspicious of being sent a link without attempting to log in, the magic link attack will fail. Fayssal suggests that an attacker could time the link to arrive when the user would be likely to access the target service for maximum effect.
Yong further said that Web3Auth has defense mechanisms to protect against phishing, although he confessed that these were not enough to protect against Fayssal’s loophole. Nonetheless, Web3Auth does have a text at the end of its magic link emails that states the IP address of the sign-in request.
Peter Kieltyka, CEO of Horizon, the company that produces Sequence, a Web3 development platform that provides a passwordless crypto wallet, announced the implementation of extra anti-phishing measures in light of Fayssal’s investigation.
He also suggested that other organizations may need to take more measures to protect against the vulnerability highlighted by Dfns. He suggested that Dfns had exaggerated the problem’s seriousness as a “marketing ploy.”
At Tokenhell, we help over 5,000 crypto companies amplify their content reach—and you can join them! For inquiries, reach out to us at info@tokenhell.com. Please remember, cryptocurrencies are highly volatile assets. Always conduct thorough research before making any investment decisions. Some content on this website, including posts under Crypto Cable, Sponsored Articles, and Press Releases, is provided by guest contributors or paid sponsors. The views expressed in these posts do not necessarily represent the opinions of Tokenhell. We are not responsible for the accuracy, quality, or reliability of any third-party content, advertisements, products, or banners featured on this site. For more details, please review our full terms and conditions / disclaimer.