Fellow security practitioners,
In pursuit of winning the war against cybersecurity threats, we wanted to warn the industry about a potential vulnerability relating to the use of email magic links.
Some email providers — such as Microsoft Safe Links in its Defender for Office 365 product — have optional security features in order to identify and neutralize phishing attacks. When the solution is trying to follow malicious links, it auto-clicks them.
When this security feature is enabled, any product that uses email magic links as a means to provide one-time authentication can actually expose itself to fraudulent activity. That means a bad actor could register to an authentication service using someone else’s email address and get access to their account — even without the real user clicking the registration link.
To combat this potential vulnerability, Trusona includes a dedicated step in the email verification process of our mobile app registration flow. Once the magic link has been clicked, this step requires the user to actively click on a second link within a web browser, thereby ensuring that only the email account owner can complete the registration, even if the safe link feature is enabled.
Join us in sharing this potential vulnerability and protect organizations from rogue security threats.
—The Trusonauts