Security Alert – Mist can be vulnerable when navigating to malicious DApps






  • Mist is leaks some low level APIs which Dapps could use to gain access to the computers file system and read/delete files. This would only affect you if you navigate to an untrusted Dapp, which knows about this vulnerabilities and specifically tries to attack users. Upgrading Mist is highly recommended to prevent any exposure to attacks.

    Affected configurations: All versions of Mist including and prior to 0.8.6 (This doesn’t concern the Ethereum Wallet, as it can’t load external DApps)
    Likelihood: Medium
    Severity: High

    Summary

    Some Mist API methods were exposed, making it possible that malicious webpages get access to a privileged interface that could delete files on the local filesystem or launch registered protocol handlers and obtain sensitive information, such as the user directory or the users coinbase.
    Vulnerable exposed mist APIs:
    mist.shell
    mist.dirname
    mist.syncMinimongo
    web3.eth.coinbase is now null, if the account is not allowed for the dapp

    Solution

    Upgrade to the latest version of the Mist Browser. Do not use any previous Mist versions to navigate to any untrusted webpage, or local webpages from unknown origins. The Ethereum Wallet is not affected as it doesn’t allow navigation to external pages.
    This is a good reminder that currently Mist is considered only for Ethereum App Development and should not be used for end users to navigate on the open web until it is reached at least version 1.0. An external audit of Mist is scheduled for December.

    A big thanks goes to @tintinweb for his very useful reproduction app to test the vulnerabilities!

    We are also thinking of adding Mist to the bounty program, if you find vulnerabilities or severe bugs please contract us at [email protected]


    Author,

    Fabian Vogelsteller


    user





Looks like your connection to Cryptocentral was lost, please wait while we try to reconnect.