• Crypto wallet startup Dfns has discovered a critical vulnerability in ‘magic links’, a passwordless sign-in method popular among crypto wallets and web apps.
• The vulnerability has been classified as a zero day exploit, meaning it is potentially toxic for developers to use.
• Services impacted by the vulnerability have downplayed its risk, calling it more benign than Dfns suggests.
Magic Links Have Critical Vulnerability
Crypto wallet startup Dfns has discovered a critical vulnerability in ‘magic links’, a passwordless sign-in method popular among crypto wallets and web apps. Dfns categorizes the vulnerability it discovered as a “zero day” exploit – so severe as to essentially render magic links toxic for developers. Given the ubiquity of magic links beyond just crypto wallets (they’re used by some popular password managers, for example), Dfns said in a statement that the vulnerability could “pose a considerable risk to a substantial portion of the global economy.”
What are Magic Links?
A magic link is a unique, one-time-use URL that is generated by a website or app to authenticate a user without requiring them to enter a password. When a user clicks on a magic link sent to them by an app, it verifies their identity and logs them into their account. Initially spearheaded by Slack and other popular Web2 apps, magic links have become an increasingly common sign-in method for crypto wallets due