Due to a Chromium vulnerability affecting all released versions of the Mist Browser Beta v0.9.3 and below, we are issuing this alert warning users not to browse untrusted websites with Mist Browser Beta at this time. Users of “Ethereum Wallet” desktop app are not affected.
Affected configurations: Mist Browser Beta v0.9.3 and below
Likelihood: Medium
Severity: High
Malicious websites can potentially steal your private keys.
As Ethereum Wallet desktop app does not qualify as a browser — it accesses only the local Wallet Dapp — it is not subject to the same category of issues present in Mist. For now, it is recommended to use Ethereum Wallet to manage funds and interact with smart contracts instead.
Mist Browser’s vision is to be a complete user-facing bridge to the ethereum blockchain and set of technologies that compose the Web3. The browser paves a significant path for the next Web our ecosystem is proudly building.
Security-wise, making a browser (an app that loads untrusted code) that handles private keys is a challenging task. Over the course of the last year, we have had Cure53 conduct an extensive security audit of Mist, and vastly improved the security of both the Mist browser and the underlying platform, Electron. We’ve promptly fixed found security issues.
But that is not enough. Security in the browser space is a never-ending battle. The Mist browser is based on Electron, which is based on Chromium. Each new Chromium release fixes numerous security issues.
The layer between Mist and Chromium, Electron, is a project led by GitHub that aims to ease the creation of cross-platform applications using JavaScript. Recently, Electron hasn’t kept up to date with Chromium, leading to an increasing potential attack surface as time passes.
A core problem with the current architecture is that any 0-day Chromium vulnerability is several patch-steps away from Mist: first Chromium needs to be patched, then Electron needs to update the Chromium version, and finally, Mist needs to update to the new Electron version.
We’re examining how we could deal with Electron’s not-so-frequent release schedule, to reduce the gap between Chromium versions we use. From preliminary studies, Brave’s Muon (an Electron fork) follows Chromium updates closely and is one potential option. The Brave browser, which also contains a cryptocurrency wallet integration, has a similar threat-model and demands for security as Mist.
An important reminder: Mist is still beta software, and you must treat it as such. The Mist Browser beta is provided on an “as is” and “as available” basis and there are no warranties of any kind, expressed or implied, including, but not limited to, warranties of merchantability or fitness of purpose.
Quick security checklist:
- Avoid keeping large quantities of ether or tokens in private keys on an online computer. Instead, use a hardware wallet, an offline device or a contract-based solution (preferably a mix of those).
- Back up your private keys — Cloud services are not the best option to store it.
- Do not visit untrusted websites with Mist.
- Do not use Mist on untrusted networks.
- Keep your day-to-day browser updated.
- Keep track of your Operating System and anti-virus updates.
- Learn how to verify file checksums (link).
Lastly, we would like to thank the security researchers that worked hard on reproducing and making invaluable submissions through the Ethereum Bounty program.
If you need further information, get in touch here: mist[at]ethereum dot org.
[We’ll update this post as the situation evolves].
@evertonfraga
Mist Team