Mist exposes several low-level APIs, enabling Dapps to access the computer’s file system and read or delete files. This would pose a risk only if you browse to an untrusted Dapp that is aware of these flaws and actively seeks to exploit users. It is strongly advised to update Mist to mitigate the chances of attack.
Affected configurations: All iterations of Mist from version 0.8.6 and earlier. This flaw does not impact the Ethereum Wallet as it is unable to load external DApps.
Likelihood: Medium
Severity: High
Summary
Certain Mist API functions were revealed, allowing malicious websites to access a privileged interface that could delete files from the local file system or initiate registered protocol handlers to retrieve sensitive data, including the user directory or the user’s “coinbase”.
Vulnerable exposed mist APIs:
mist.shellmist.dirnamemist.syncMinimongoweb3.eth.coinbasenow shows as
null, if the account is not authorized for the dapp
Solution
Update to the most recent version of the Mist Browser. Avoid using any prior versions of Mist to access untrusted sites or local webpages from ambiguous origins. The Ethereum Wallet remains unaffected, as it does not permit navigation to external websites.
This serves as a significant reminder that Mist is currently solely intended for Ethereum App Development and should not be utilized by end users to browse the open web until it reaches at least version 1.0. An external audit for Mist is planned for December.
A special acknowledgment goes to @tintinweb for his invaluable reproduction application for testing the vulnerabilities!
We are also considering incorporating Mist into the bounty program; if you discover vulnerabilities or critical bugs, please contact us at bounty@ethereum.org
