Magic links are susceptible to man in middle attacks if your DNS is compromised, like on public WiFi, because the reset token is in the URI itself. So you're most vulnerable when you click the link.
No, they're not, unless you also have a valid TLS certificate for the domain.
If I link you to https://foo.com/login?token=123, you need a valid TLS certificate to foo.com in order for my browser to actually send that token to it or for me to reach that page.
Even if you MITM DNS to give an ip address you control, it doesn't matter since you won't have a valid TLS certificate for foo.com, and so you gain no information.
If I link you to https://foo.com/login?token=123, you need a valid TLS certificate to foo.com in order for my browser to actually send that token to it or for me to reach that page.
Even if you MITM DNS to give an ip address you control, it doesn't matter since you won't have a valid TLS certificate for foo.com, and so you gain no information.