Magic icon Magic HackerOne

Target Policy
https://hackerone.com/magic-bbp?type=team
Structured Scope
  • Asset Identifier
    Asset Type
    Max Severity
  • dashboard.fortmatic.com

    Navigate to our [dashboard](https://dashboard.fortmatic.com/login?ref=h1) for signup, at this time there is no way for us to pre-assign credentials for our hackers, apologies for the inconvenience.

    **Similar to our other scopes any DDoS based exploits are explicitly out of scope**

    **What it runs on:**
    - HTML, LESS

    **What it does:**
    - Developers come in here to manage their access to the Fortmatic API. It contains features that are vital to the operation of the developers’ app -- domain verification, and obtaining/rolling their API keys.

    **What to look for:**
    - Any web vulnerabilities are of concern here e.g, cross-site scripting (XSS) or cross-site request forgery (CSRF) that could force the developer to commit unwanted actions or on behalf of another user. Also interested in vulnerabilities in the OAuth flow that occur for user sign-up/sign-in.

    **Test plan:**
    - This is a fairly standard web application, with no particular gotchas. Your standard tool kit should be all that you’d need here.

    URL
    high
  • Account Settings

    **Note that if you do not see the 'Account' link on the top right please perform a hard-reload in your browser**

    **Type:** Fortmatic Modal

    **What it runs on:**
    - Redux, HTML, LESS

    **What it does:**
    - This provides users access to their personal settings, and offers critical features such as managing their PIN, recovery email, and exporting their private key.

    **What to look for:**
    - There is a host of private information being disclosed through this modal. Any web or access control vulnerabilities are of high risk here. Any attacks that can bypass, or skip layers of authentication allowing modification of a user's account is of high interest.
    **Test plan:**
    - You can gain access to the account settings on our [landing page](www.fortmatic.com?ref=h1) and hitting the `Account` link in the nav bar on the top right. Accessing and interacting with the modal will not require any cryptocurrencies or setup beyond a Fortmatic account.

    OTHER
    critical
  • auth.magic.link

    This is our main product, orchestrating the one-click passwordless login experience.
    Follow the instructions on our [documentation page](https://docs.magic.link/?ref=h1), and please keep our [out of scope vulnerabilities](https://hackerone.com/magic-bbp) in mind while testing.

    URL
    critical
  • newton.xyz

    Magic Labs has been engaged to manage the Magic Newton Foundation bug bounty for the Newton Protocol.

    Staking Contract: 0x8f0D9acBdf8Dbeea67af639CbC995a9767e14488
    Validator Contract: 0x3846a94F817AcB78fb983f8631E779e49cbE888f

    URL
    critical
  • dashboard.magic.link

    Navigate to our [dashboard](https://dashboard.magic.link/login?ref=h1) for signup, at this time there is no way for us to pre-assign credentials for our testers, apologies for the inconvenience. Please keep our [out of scope vulnerabilities](https://hackerone.com/magic-bbp) in mind while testing.

    **Similar to our other scopes any DDoS based exploits are explicitly out of scope*

    URL
    critical
  • x2.fortmatic.com

    Please follow the instructions on our [documentation page] (https://docs.fortmatic.com/?ref=h1).

    **What it is:**
    - User interface for the Fortmatic web3 provider. The constructor of the [SDK](https://www.npmjs.com/package/fortmatic) takes in an API key and an optional environment variable and constructs an iframe from the source https://x2.fortmatic.com with the passed in arguments as url parameters.
    - It runs inside an iframe element. The sdk configures the iframe inside the parent web application. It is invoked with URL parameters inside the sdk, from which the api key, ethereum environment and parent domains are parsed.

    **What to look for:**
    - We are highly interested in any access control, or privilege escalation vulnerabilities and consider them as very high risk issues Also keep an eye on other standard web vulnerabilities such as XSS for extracting held secrets in local storage. Please note to only ever test against your own account.

    **What it runs on:**
    - Redux, HTML, LESS

    **Test plan:**
    - You can access the app on the Ethereum [testnet](https://demo-wallet--fortmatic.repl.co/) or [mainnet](https://demo-kitchen-sink--fortmatic.repl.co/).
    - You will require ETH to access the full set of the functionality offered. To get access to free test ethers, feel free to use the app on the [testnet](https://demo-wallet--fortmatic.repl.co/).
    - Try to invoke the iframe in different ways, with and without the sdk
    - It relies on a ‘message’ event listener to properly communicate actions to and from the iframe element.
    - Authenticated secrets such as the `user_session_token` are held in the browser’s local storage.

    URL
    critical
  • portal.magicnewton.com
    URL
    critical
  • api.fortmatic.com

    **Any activity that could lead to the disruption of our service (DDOS) is explicitly out of scope.**

    **What it does:**
    - This is our main API that serves the rest of the Fortmatic assets. As a result a lot of functionality is exposed here -- everything from creating/authenticating users to interacting with the blockchain can be found.

    URL
    critical
  • static.fortmatic.com
    URL
    none
  • email.fortmatic.com
    URL
    none
  • careers.fortmatic.com
    URL
    critical
  • developers.fortmatic.com

    Out of scope third-party hosted integration

    URL
    none
  • Login with SMS - Feature

    Demo and Overview:
    https://magic.link/docs/login-methods/sms/build-a-demo/browser

    Getting started on React:
    https://magic.link/docs/login-methods/sms/integration/web

    Getting started on React Native:
    https://magic.link/docs/login-methods/sms/integration/react-native

    swagger.json: https://drive.google.com/file/d/1Uu_j7feFo4qot74f0zIj6xCfYyokOnUc/view

    swagger.yaml: https://drive.google.com/file/d/1NdZPQVBhrkZnEGoZmUcYqLi_3Yv5Ks5c/view

    OTHER
    critical
  • docs.fortmatic.com
    URL
    none
  • Multi-factor Auth - Feature

    Demo and Overview:
    https://magic.link/docs/login-methods/sms/build-a-demo/browser

    Getting started on React:
    https://magic.link/docs/login-methods/sms/integration/web

    Getting started on React Native:
    https://magic.link/docs/login-methods/sms/integration/react-native

    OTHER
    critical
  • fortmatic.com

    If you've previously visited this [page](https://www.fortmatic.com?ref=h1), we highly recommend performing one hard reload when visiting this asset as an older version of the page may still be cached by your browser.

    URL
    low
  • Magic and Fortmatic Products
    OTHER
    critical
  • api.magic.link

    **Any activity that could lead to the disruption of our service (DDOS) is explicitly out of scope.**

    URL
    critical
  • Any .magic.link demo sites
    OTHER
    critical
Target Scope Domains
  • api.fortmatic.com
  • api.magic.link
  • auth.magic.link
  • careers.fortmatic.com
  • dashboard.fortmatic.com
  • dashboard.magic.link
  • fortmatic.com
  • newton.xyz
  • portal.magicnewton.com
  • x2.fortmatic.com
Tech Stack
Last Finished Scan:
Scan Name
Fleet
Finished
State
auto-gausubs-2-kor
allkxss
2 months, 2 weeks ago
Finished
auto-gausubs-2-kor
  • Fleet: allkxss
  • Duration: 29 Seconds
  • Finished: 2 months, 2 weeks ago