Instruction: **Note that if you do not see the 'Account' link on the top right please perform a hard-reload in your browser**
**Type:** Fortmatic Modal
**What it runs on:**
- Redux, HTML, LESS
**What it does:**
- This provides users access to their personal settings, and offers critical features such as managing their PIN, recovery email, and exporting their private key.
**What to look for:**
- There is a host of private information being disclosed through this modal. Any web or access control vulnerabilities are of high risk here. Any attacks that can bypass, or skip layers of authentication allowing modification of a user's account is of high interest.
**Test plan:**
- You can gain access to the account settings on our [landing page](www.fortmatic.com?ref=h1) and hitting the `Account` link in the nav bar on the top right. Accessing and interacting with the modal will not require any cryptocurrencies or setup beyond a Fortmatic account.
Integrity requirements: high
Max severity: critical
Asset identifier: Login with SMS - Feature
Asset type: OTHER
Availability requirement: low
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction: Demo and Overview:
https://magic.link/docs/login-methods/sms/build-a-demo/browser
Getting started on React:
https://magic.link/docs/login-methods/sms/integration/web
Getting started on React Native:
https://magic.link/docs/login-methods/sms/integration/react-native
swagger.json: https://drive.google.com/file/d/1Uu_j7feFo4qot74f0zIj6xCfYyokOnUc/view
swagger.yaml: https://drive.google.com/file/d/1NdZPQVBhrkZnEGoZmUcYqLi_3Yv5Ks5c/view
Integrity requirements: medium
Max severity: critical
Asset identifier: Magic and Fortmatic Products
Asset type: OTHER
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: high
Max severity: critical
Asset identifier: Multi-factor Auth - Feature
Asset type: OTHER
Availability requirement: low
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction: Demo and Overview:
https://magic.link/docs/login-methods/sms/build-a-demo/browser
Getting started on React:
https://magic.link/docs/login-methods/sms/integration/web
Getting started on React Native:
https://magic.link/docs/login-methods/sms/integration/react-native
Integrity requirements: medium
Max severity: critical
Asset identifier: api.fortmatic.com
Asset type: URL
Availability requirement: medium
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: **Any activity that could lead to the disruption of our service (DDOS) is explicitly out of scope.**
**What it does:**
- This is our main API that serves the rest of the Fortmatic assets. As a result a lot of functionality is exposed here -- everything from creating/authenticating users to interacting with the blockchain can be found.
**What to look for:**
- We are interested in vulnerabilities which are caused by improper access control and can cause leakage/modification of user information. Please keep in mind to only ever test against your own accounts.
**Test plan:**
- Access our API by providing your API key to the `X-Fortmatic-API-Key` header. Endpoints under access control uses an authorization bearer token returned by the API once the user is able to successfully authenticate. Inspecting `x2.fortmatic.com`’s interactions with the API will provide a good idea of how the API can be invoked.
**Known Issues**
- Bugs involving bypass of SMS/2FA verification are known issues and will be considered duplicates
Integrity requirements: high
Max severity: critical
Asset identifier: api.magic.link
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: **Any activity that could lead to the disruption of our service (DDOS) is explicitly out of scope.**
**What it does:**
- This is our main API that serves the rest of the Magic assets. As a result a lot of functionality is exposed here -- everything from creating/authenticating users to supporting our [dashboard](https://dashboard.magic.link/login?ref=h1) functionalities can be found here.
**What to look for:**
- We are interested in vulnerabilities which are caused by improper access control and can cause leakage/modification of user information. Please keep in mind to only ever test against your own accounts.
**Test plan:**
- Grab a set of API keys from our [dashboard](https://dashboard.magic.link/login?ref=h1)
- Access our API by providing your API key to the `X-Magic-API-Key` header. Endpoints under access control uses an authorization bearer token returned by the API once the user is able to successfully authenticate. Inspecting `auth.magic.link`’s or `dashboard.magic.link`'s interactions with the API will provide a good idea of how the API can be invoked.
Integrity requirements: high
Max severity: critical
Asset identifier: auth.magic.link
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is our main product, orchestrating the one-click passwordless login experience.
Follow the instructions on our [documentation page](https://docs.magic.link/?ref=h1), and please keep our [out of scope vulnerabilities](https://hackerone.com/magic-bbp) in mind while testing.
**What it is:**
- User interface and authentication relayer to enable passwordless authentication using magic links. The main way to interact with this interface will be through our [client SDK](https://www.npmjs.com/package/magic-sdk), our [docs](https://docs.magic.link/get-started?ref=h1) will help you to quickly get up and running!
**What to look for:**
- We are highly interested in any access control, token enumerations, or privilege escalation vulnerabilities and consider them as very high risk issues. Also keep an eye on other standard web vulnerabilities such as XSS/CSRF for extracting held secrets in local storage/cookies. Please note to only ever test against your own account.
**What it runs on:**
- Javascript ES6, TypeScript, React, Redux, HTML, CSS, LESS,
**Test plan:**
- Get your API keys from our [dashboard](https://dashboard.magic.link/login?ref=h1).
- Fork our [demo app](https://go.magic.link/hello-world-code), and run with your test publishable API keys from our dashboard.
- Inputting an email will start the login process, and you'll be off to the races!
Integrity requirements: high
Max severity: critical
Asset identifier: dashboard.fortmatic.com
Asset type: URL
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: Navigate to our [dashboard](https://dashboard.fortmatic.com/login?ref=h1) for signup, at this time there is no way for us to pre-assign credentials for our hackers, apologies for the inconvenience.
**Similar to our other scopes any DDoS based exploits are explicitly out of scope**
**What it runs on:**
- HTML, LESS
**What it does:**
- Developers come in here to manage their access to the Fortmatic API. It contains features that are vital to the operation of the developers’ app -- domain verification, and obtaining/rolling their API keys.
**What to look for:**
- Any web vulnerabilities are of concern here e.g, cross-site scripting (XSS) or cross-site request forgery (CSRF) that could force the developer to commit unwanted actions or on behalf of another user. Also interested in vulnerabilities in the OAuth flow that occur for user sign-up/sign-in.
**Test plan:**
- This is a fairly standard web application, with no particular gotchas. Your standard tool kit should be all that you’d need here.
Integrity requirements: medium
Max severity: high
Asset identifier: dashboard.magic.link
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Navigate to our [dashboard](https://dashboard.magic.link/login?ref=h1) for signup, at this time there is no way for us to pre-assign credentials for our testers, apologies for the inconvenience. Please keep our [out of scope vulnerabilities](https://hackerone.com/magic-bbp) in mind while testing.
**Similar to our other scopes any DDoS based exploits are explicitly out of scope**
**What it runs on:**
- React, Redux, Javascript, Typescript, HTML, CSS, LESS
**What it does:**
- Developers come in here to manage their access to the Magic API. It contains features that are vital to the operation of the developers’ app -- billing setup, branding customizations*, and obtaining/rolling their API keys, to name a few.
**What to look for:**
- Any web vulnerabilities are of concern here e.g, cross-site scripting (XSS) or cross-site request forgery (CSRF) that could force the developer to commit unwanted actions or on behalf of another user. Access control bypasses are also of interest to us, can you maybe bypass payments to get access to branding, or access to other higher paid tier features?
**Test plan:**
- This is a fairly standard web application, with no particular gotchas. Your standard tool kit should be all that you’d need here.
*Branding is available to developer tier and up. However a free trial can be used to access any paid tier features.
Integrity requirements: high
Max severity: critical
Asset identifier: fortmatic.com
Asset type: URL
Availability requirement: low
Confidentiality requirement: none
Eligible for bounty: true
Eligible for submissions: true
Instruction: If you've previously visited this [page](https://www.fortmatic.com?ref=h1), we highly recommend performing one hard reload when visiting this asset as an older version of the page may still be cached by your browser.
Integrity requirements: none
Max severity: low
Asset identifier: x2.fortmatic.com
Asset type: URL
Availability requirement: medium
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Please follow the instructions on our [documentation page] (https://docs.fortmatic.com/?ref=h1).
**What it is:**
- User interface for the Fortmatic web3 provider. The constructor of the [SDK](https://www.npmjs.com/package/fortmatic) takes in an API key and an optional environment variable and constructs an iframe from the source https://x2.fortmatic.com with the passed in arguments as url parameters.
- It runs inside an iframe element. The sdk configures the iframe inside the parent web application. It is invoked with URL parameters inside the sdk, from which the api key, ethereum environment and parent domains are parsed.
**What to look for:**
- We are highly interested in any access control, or privilege escalation vulnerabilities and consider them as very high risk issues Also keep an eye on other standard web vulnerabilities such as XSS for extracting held secrets in local storage. Please note to only ever test against your own account.
**What it runs on:**
- Redux, HTML, LESS
**Test plan:**
- You can access the app on the Ethereum [testnet](https://demo-wallet--fortmatic.repl.co/) or [mainnet](https://demo-kitchen-sink--fortmatic.repl.co/).
- You will require ETH to access the full set of the functionality offered. To get access to free test ethers, feel free to use the app on the [testnet](https://demo-wallet--fortmatic.repl.co/).
- Try to invoke the iframe in different ways, with and without the sdk
- It relies on a ‘message’ event listener to properly communicate actions to and from the iframe element.
- Authenticated secrets such as the `user_session_token` are held in the browser’s local storage.
