MEDIUM
The severity rating is MEDIUM because while these vulnerabilities can lead to unintended logins, the impact is mitigated by the short-lived nature of magic links and the requirement for user interaction. In homelab environments, these risks are still present but more controlled; in production, they pose a moderate risk due to potential unauthorized access. Patches exist as best practices, but their maturity varies across different implementations.

Magic links, a form of passwordless authentication, are widely used but can pose significant security risks if not implemented correctly. The basic idea involves sending a one-time-use link to the user's email for login purposes. However, several common pitfalls can undermine the security of such systems. For instance, some implementations automatically log in users as soon as they click the magic link, which can lead to unintended logins due to browser prefetching or link preview features that issue GET requests. Additionally, a significant issue arises when the user clicks the link within an email client on their phone, leading to login credentials being captured by the app's internal browser instead of the intended primary browser tab. To mitigate these risks, magic links should lead to a page where users must explicitly click a button to claim the code and then instruct them to return to their original browser tab for authentication. This approach ensures that the user is aware of the login process and maintains control over which device or context they are logging into.

Affected Systems
  • Web applications using passwordless authentication with magic links
  • Email clients and browsers that auto-fetch content
Affected Versions: All versions implementing insecure magic link mechanisms
Remediation
  • Ensure the magic link leads to a page where users must click an explicit button to claim their code: Update login logic in your web application to require user interaction before claiming the code. For example, update the route handler for magic links to serve a form with a submit button.
  • Modify email handling to instruct users to return to their original browser tab: Add instructions within the magic link page to guide users back to their primary browsing session and refresh the login status there. Example command: `window.open('https://example.com/login-verification', '_blank');`
  • Implement short-lived tokens with sufficient entropy: Set expiration times for magic links (e.g., 15 minutes) and ensure secret codes have at least 64 bits of entropy.
  • Store hashes of the secret code in the database, not the original code: Use a secure hashing algorithm like bcrypt to store hashed versions of the secret codes.
Stack Impact

Common homelab stacks using magic links may be directly impacted if they rely on automated GET requests or lack explicit user interaction steps. For example, configurations in `app.js` that handle route logic for login pages need adjustment.

Source →