expr:class='data:blog.languageDirection' expr:data-id='data:blog.blogId'>
last posts

The cryptocurrency wallet company Dfns claims that "Magic Links" have a serious vulnerability

cryptocurrency wallet

As the cryptocurrency wallet begins, some magic links - a non-password-free access method used by crypto wallets and increasingly web applications-have significant security vulnerabilities.

Defense provides portfolio services and is supported by companies such as White Star Capital, Rashid, Susquehanna, Coinbase Ventures, and ABN Amro.

  • A Magic Link is a single URL created by a website or an application to verify a user without requesting it to enter a password. When the user clicks on the magic link sent to him by the web application, he confirms his identity and writes it to his account.
  • Initially led by Slack and otanotheropular web 2 applications, the Magic Link became a more popular access method for crypto handbags. Instead of requiring the user to memorize complex keys or initial sentences, magic links are encouraged as a faster, easier, and safer way to access them.
  • But security states that magic links, which can be implemented differently in different applications, are often less reliable than traditional access methods.
  • The Defense classifies the weaknesses seen as" zero-day " exploitation-so serious that, in fact, it makes the Magic Link toxic to the creator. Considering that there are magic links everywhere that go beyond just crypto handbags (such as those used by some well-known password managers), the fence stated in a statement that vulnerability would "pose a serious threat to a large part of the global economy.”

However, the services affected by the vulnerability significantly reduced the risk of CoinDesk, calling it a more flexible type of phishing attack, although still scary. In addition, many popular purses complained that dedefenseave them less than three days before they ran to publish their findings, which were far lower than the widely accepted standard for identifying vulnerabilities.

Furthermore, they added that Bury had the privilege of ignoring offers with a wallet without a password; bury's business model included securing a locked password for its customers.

Although not everyone accepted the defense's assessment of the importance of what they saw, people talking to CoinDesk noted that the results showed how some cryptocurrency companies prefer to facilitate security by trying to attract users.

In the early 2000s, usernames and passwords were constantly hacked. But today we have two certifications, OTP( one password) " and another safer way to access, Chen Yuong, CEO of web3outh, told CoinDesk. (web3auth offers a non-password-free access service that is vulnerable to hidden extraction. The crypto industry still " uses a single source-verification statement.”

Stealing Magical Connections

In a protest at Zoom, dr. Samer Faisal, chi the information security expert at defense, demonstrated how hackers can seize the services of a popular crypto "Magic Link" handbag using the same user's email address.

Using a new handbag from the coindesk burner as a test dummy, Visal demonstrated how the hacker could send magic links that proved to be (and, to some extent) Real. The link comes from the real email address of the handbag service, and by clicking it you entered the CoinDesk burner wallet.

  1. But when Faisal shared the screen, he revealed that by clicking the link, CoinDesk accidentally gave him full access to his wallet.
  2. With two DNV lawyers on the line (obviously witnessing the fact that dvnDVDsre not actually hacking CoinDesk), Faisal agreed to resume his attacks on other crypto handbag services without a password.
  3. Whenever he appeared, Faisal, rather than CoinDesk, began a request for access, which was mailed via the Magic Link. If a user gets an email to enter without attempting to access the service, it is usually a phishing signal, even if the email appears to be completely correct.

Faisal did not explain how he stopped the attack, telling CoinDesk that he did not want his approach to fall into the wrong hands. However, he claimed to have personally contacted dozens of companies that he thought were vulnerable to abuse and committed to assisassisting in implementing the measure.

In the case of magic link bag users," the advice I will give to the user is to implement the two-factor authentication as quickly as possible, if possible, " said Faisal.

CoinDesk has spoken with three crypto companies known as user magic links. They all asserted that Faisal's conclusions were correct, but all argued that Defness extended the use of his hands, calling the attack "Day Zero.”

Magic labs, one of the companies that use it in demo versions, said that it is no longer vulnerable after a day.

"Magic Labs are no longer vulnerable to this type of phishing, and as far as we know none of the end users have been affected," said Sean Lee, CEO of Magic Labs. "We are constantly evaluating and improving the safety of the platform."

Day Zero or phishing attacks?

Web 3oth is another crypto handbag service that dvns used to prove Magic Link's weakness in CoinDesk. According to Yang, web 3auth, weak magic links are not considered a more serious "zero-day" exploitation, as users need to click on captured magic links to work.

  • "We do this as a phishing attack," Yang told CoinDesk. "Like a phishing attack on a MetaMask, where an application sends a negative exchange, it is approved by the user, then the user can send the indicator to a negative address or something like that.”
  • The Magic Link attack failed if the user failed to reach the captured email, clicked on the link at the end of the period, or hesitated that the Magic Link was sent when he did not attempt to enter. (On this final point, Faisal said that the attacker could strategically calculate the time that the link will arrive at the time the user is expected to access the target service.)
  • Yang told CoinDesk that web3outh had security to prevent phishing, although he acknowledged that these defenses were insufficient to counter Feisal's weakness.

However, in honor of web 3auth, the company has an article at the bottom of the magic link email, which indicates the IP address from which the intention to enter was initiated. On the Facebook demo, the Magic Link he received comes from an IP address other than that of CoinDesk - a small indication that the link was fake, even though the email was directly from web3auth.

Yang said web 3auth would introduce additional methods to combat phishing due to Faisal's research.

Sequencing, a Web3 Development Platform offering a cryptocurrency wallet without a password, told CoinDesk that it applied security that caused the weaknesses found in Bury to fail. "In the case of the sequencer, I think it's not completely bad," said Peter Keltika, CEO of Horizon, the company that creates the sequencer. "But you know, yes, for other products, I think they might take extra precautions.”

Peter Defens accused Magic Link of extending the severity of weakness as a "marketing strategy.”

Comments



Font Size
+
16
-
lines height
+
2
-