This is to clarify our response to a detailed internal investigation into a claimed vulnerability attack on Web3 Magic Links.
Today, we want to take this opportunity to address a claimed vulnerability on Magic Links in Web3 highlighted by DFNS.co. Read more here.
The disclosure describes a phishing attack on passwordless Magic Links, that affects Web2 applications but was aimed specifically toward Web3 applications.
A short summary of the incident with the timelines:
- This phishing method was disclosed to us privately on Thursday, 23rd February 2023, over a voice call.
- Between 23rd and 25th February, upon discovery of the phishing attack, the Web3Auth team launched a detailed investigation into potentially affected users and their accounts.
- In conclusion, the investigation found no cases of existing users being affected by this attack.
- A verification challenge and stricter IP policies were implemented to prevent future phishing attempts on Monday, 27th February, 2023.
A brief overview of the phishing attack:
When a user wants to sign up and log in to any user account on the internet, the conventional flow is that he or she would get a verification email with a link to confirm and verify the email address. Upon verification, the user would now be able to access the dashboard or the user account.
But in this case, which happens to be a phishing attack, a malicious third party comes into play. It triggers a login request, because of which it sends out a passwordless web3 Magic Link to the user’s email. The link could possibly have a call-to-action button that prompts the user to log in. When the user clicks on it, the malicious third party would now be able to log in on behalf of the user, but the user is kept in the dark about the consequences until the account is accessed or altered.
This was how the claimed vulnerability attack unfolded, which turned out to be a well-known phishing attack.
Upon intimation of the issue on 23rd Feb 2023, Web3Auth conducted a detailed investigation into potential scenarios under which the issue might have occurred.
The investigation found that there were no such cases of this vulnerability found with respect to our existing user accounts. Our current policies that are already in place, display the origination of login requests as well as open channels for support, for identified malicious requests. These shall effectively prepare us for similar malicious incidents where the user did not activate the request in the first place. Rest assured, we continue to conduct our business and everyday operations while our users have absolutely nothing to worry about.
Our future commitment
However, this gave us an opportunity to further tighten our existing security measures. As part of some immediate remedial actions, we have proactively added additional security policies to identify potential and existing phishing attacks. This included matching and verification of a numeric login code to identify false requests, along with more stringent IP blocking, if the attack originated from different locations.
To ensure that we handle similar issues in a timely and effective manner, we have developed a Security SOP. Further, if you happen to discover any issues with our product, please email us at security@web3auth.io. Our team shall quickly review your submission and respond within 72 hours. While submitting these issues, kindly provide as much detail as possible, including steps to reproduce the issue, the potential impact, and any additional information that may be helpful.
Feel free to refer to our bug bounty program as well.
As part of our commitment to platform security, we will acknowledge your submission and keep you informed of our progress in addressing the vulnerabilities. We would also publicly recognize your contribution, with your permission, in our security hall of fame.
We take the security of our platform very seriously. We acknowledge your support and extend our gratitude for joining us in our mission to improve the security of Web3Auth and Web3 as an entirety.