Due to a Chromium security flaw impacting all distributed versions of the Mist Browser Beta v0.9.3 and prior, we are issuing this alert to advise users against visiting untrusted websites with Mist Browser Beta at this moment. Users of the “Ethereum Wallet” desktop application remain unaffected.
Configurations at risk: Mist Browser Beta v0.9.3 and below
Probability: Medium
Impact: High
Deceptive websites may potentially compromise your private keys.
Since the Ethereum Wallet desktop application is not categorized as a browser — it solely connects to the local Wallet Dapp — it is not exposed to the same kinds of problems found in Mist. For the time being, it is advisable to use Ethereum Wallet for fund management and engagement with smart contracts instead.
Mist Browser’s aim is to serve as a comprehensive user-facing bridge to the Ethereum blockchain and the range of technologies that comprise Web3. The browser significantly contributes to the next iteration of the web our ecosystem is actively developing.
From a security perspective, creating a browser (an application that executes untrusted code) that manages private keys is a daunting challenge. Over the past year, we have had Cure53 perform an extensive security assessment of Mist, leading to substantial enhancements in the security of both the Mist browser and the foundational platform, Electron. We have quickly addressed identified security vulnerabilities.
However, that alone is insufficient. Security in the browser domain represents an ongoing struggle. The Mist browser operates on Electron, which in turn is built on Chromium. Each new Chromium release addresses numerous security concerns.
The layer that exists between Mist and Chromium, Electron, is a project managed by GitHub aimed at simplifying the development of cross-platform applications using JavaScript. Recently, Electron has lagged behind Chromium, resulting in an expanding potential attack surface over time.
A principal issue with the existing architecture is that any zero-day Chromium vulnerability is several patching steps away from Mist: first, Chromium must be patched, then Electron must upgrade its Chromium version, and finally, Mist must adopt the new Electron version.
We are assessing ways to handle Electron’s infrequent release schedule, aiming to lessen the gap between the Chromium versions we utilize. Initial findings suggest that Brave’s Muon (a fork of Electron) closely follows Chromium updates and presents one potential alternative. The Brave browser, which also integrates a cryptocurrency wallet, possesses a comparable threat model and security requirements as Mist.
A vital reminder: Mist remains beta software, and you should treat it accordingly. The Mist Browser beta is offered on an “as is” and “as available” basis, with no warranties of any sort, either expressed or implied, including but not limited to warranties of merchantability or suitability for a particular purpose.
Quick security checklist:
- Refrain from storing substantial amounts of ether or tokens in private keys on an online device. Instead, utilize a hardware wallet, an offline gadget, or a contract-based solution (preferably a combination of these).
- Make backups of your private keys — Cloud services are generally not the best choice for storage.
- Avoid accessing untrustworthy websites using Mist.
- Do not operate Mist on unreliable networks.
- Ensure your daily browser is kept updated.
- Monitor your Operating System and anti-virus updates.
- Familiarize yourself with how to verify file checksums (link).
Finally, we extend our gratitude to the security researchers who diligently worked on reproducing issues and providing invaluable contributions through the Ethereum Bounty program.
For additional information, please reach out here: mist[at]ethereum dot org.
[We will update this notice as the situation progresses].
@evertonfraga
Mist Team
