{"id":8757,"date":"2025-02-19T23:55:43","date_gmt":"2025-02-19T22:55:43","guid":{"rendered":"https:\/\/wsj-crypto.com\/?p=8757"},"modified":"2025-02-19T23:55:43","modified_gmt":"2025-02-19T22:55:43","slug":"caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps","status":"publish","type":"post","link":"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/","title":{"rendered":"Caution Ahead: Potential Vulnerabilities in Mist When Accessing Malicious DApps"},"content":{"rendered":"

<\/p>\n

\n

Mist exposes several low-level APIs, enabling Dapps to access the computer’s file system and read or delete files. This would pose a risk only if you browse to an untrusted Dapp that is aware of these flaws and actively seeks to exploit users. It is strongly advised to update Mist to mitigate the chances of attack.<\/p>\n

<\/p>\n

Affected configurations<\/strong>: All iterations of Mist from version 0.8.6 and earlier. This flaw does not impact the Ethereum Wallet as it is unable to load external DApps.
\nLikelihood<\/strong>: Medium
\nSeverity<\/strong>: High<\/p>\n

<\/p>\n

Summary<\/h2>\n

Certain Mist API functions were revealed, allowing malicious websites to access a privileged interface that could delete files from the local file system or initiate registered protocol handlers to retrieve sensitive data, including the user directory or the user’s “coinbase”.
\nVulnerable exposed mist APIs:
\n<\/p>\n

mist.shell<\/span><\/code><\/pre>\n
<\/p>\n
mist.dirname<\/span><\/code><\/pre>\n
<\/p>\n
mist.syncMinimongo<\/span><\/code><\/pre>\n
<\/p>\n
web3.eth.coinbase<\/span><\/code><\/pre>\n
 now shows as <\/p>\n
null<\/span><\/code><\/pre>\n
, if the account is not authorized for the dapp
\n<\/p>\n
Solution<\/h2>\n
Update to the most recent version of the Mist Browser<\/a>. Avoid using any prior versions of Mist to access untrusted sites or local webpages from ambiguous origins. The Ethereum Wallet remains unaffected, as it does not permit navigation to external websites.
\nThis serves as a significant reminder that Mist is currently solely intended for Ethereum App Development and should not be utilized by end users to browse the open web until it reaches at least version 1.0. An external audit for Mist is planned for December.
\n<\/p>\n
A special acknowledgment goes to @tintinweb<\/a> for his invaluable reproduction application for testing the vulnerabilities!<\/p>\n
<\/p>\n
We are also considering incorporating Mist into the bounty program; if you discover vulnerabilities or critical bugs, please contact us at\u00a0bounty@ethereum.org<\/a><\/p>\n

\n<\/div>\n

\n
Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Mist exposes several low-level APIs, enabling Dapps to access the computer’s file system and read or delete files. This would pose a risk only if you browse to an untrusted Dapp that is aware of these flaws and actively seeks to exploit users. It is strongly advised to update Mist to mitigate the chances of<\/p>\n","protected":false},"author":3,"featured_media":8282,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23],"tags":[1360],"class_list":["post-8757","post","type-post","status-publish","format-standard","has-post-thumbnail","category-ethereum","tag-return-a-list-of-comma-separated-tags-from-this-title-security-alert-mist-can-be-vulnerable-when-navigating-to-malicious-dapps"],"yoast_head":"\nCaution Ahead: Potential Vulnerabilities in Mist When Accessing Malicious DApps - WSJ-Crypto<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/\" \/>\n<meta property=\"og:locale\" content=\"it_IT\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Caution Ahead: Potential Vulnerabilities in Mist When Accessing Malicious DApps - WSJ-Crypto\" \/>\n<meta property=\"og:description\" content=\"Mist exposes several low-level APIs, enabling Dapps to access the computer’s file system and read or delete files. This would pose a risk only if you browse to an untrusted Dapp that is aware of these flaws and actively seeks to exploit users. It is strongly advised to update Mist to mitigate the chances of\" \/>\n<meta property=\"og:url\" content=\"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/\" \/>\n<meta property=\"og:site_name\" content=\"WSJ-Crypto\" \/>\n<meta property=\"article:published_time\" content=\"2025-02-19T22:55:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/wsj-crypto.com\/wp-content\/uploads\/2025\/02\/eth-org.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"2100\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"wsjcrypto\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Scritto da\" \/>\n\t<meta name=\"twitter:data1\" content=\"wsjcrypto\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tempo di lettura stimato\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minuto\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/\",\"url\":\"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/\",\"name\":\"Caution Ahead: Potential Vulnerabilities in Mist When Accessing Malicious DApps - WSJ-Crypto\",\"isPartOf\":{\"@id\":\"https:\/\/wsj-crypto.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/wsj-crypto.com\/wp-content\/uploads\/2025\/02\/eth-org.jpeg\",\"datePublished\":\"2025-02-19T22:55:43+00:00\",\"author\":{\"@id\":\"https:\/\/wsj-crypto.com\/#\/schema\/person\/88a93723b30416db1a352d5a0096c4a7\"},\"breadcrumb\":{\"@id\":\"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/#breadcrumb\"},\"inLanguage\":\"it-IT\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/#primaryimage\",\"url\":\"https:\/\/wsj-crypto.com\/wp-content\/uploads\/2025\/02\/eth-org.jpeg\",\"contentUrl\":\"https:\/\/wsj-crypto.com\/wp-content\/uploads\/2025\/02\/eth-org.jpeg\",\"width\":2100,\"height\":900},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/wsj-crypto.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Caution Ahead: Potential Vulnerabilities in Mist When Accessing Malicious DApps\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/wsj-crypto.com\/#website\",\"url\":\"https:\/\/wsj-crypto.com\/\",\"name\":\"WSJ-Crypto\",\"description\":\"Just Another Crypto News Website\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/wsj-crypto.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"it-IT\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/wsj-crypto.com\/#\/schema\/person\/88a93723b30416db1a352d5a0096c4a7\",\"name\":\"wsjcrypto\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\/\/wsj-crypto.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/86fe8af82ea089646d6639ca2f87e0243d8688d957bd8e3ec22ec3c457cc16d4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/86fe8af82ea089646d6639ca2f87e0243d8688d957bd8e3ec22ec3c457cc16d4?s=96&d=mm&r=g\",\"caption\":\"wsjcrypto\"},\"url\":\"https:\/\/wsj-crypto.com\/index.php\/author\/wsjcrypto\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Caution Ahead: Potential Vulnerabilities in Mist When Accessing Malicious DApps - WSJ-Crypto","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/","og_locale":"it_IT","og_type":"article","og_title":"Caution Ahead: Potential Vulnerabilities in Mist When Accessing Malicious DApps - WSJ-Crypto","og_description":"Mist exposes several low-level APIs, enabling Dapps to access the computer’s file system and read or delete files. This would pose a risk only if you browse to an untrusted Dapp that is aware of these flaws and actively seeks to exploit users. It is strongly advised to update Mist to mitigate the chances of","og_url":"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/","og_site_name":"WSJ-Crypto","article_published_time":"2025-02-19T22:55:43+00:00","og_image":[{"width":2100,"height":900,"url":"https:\/\/wsj-crypto.com\/wp-content\/uploads\/2025\/02\/eth-org.jpeg","type":"image\/jpeg"}],"author":"wsjcrypto","twitter_card":"summary_large_image","twitter_misc":{"Scritto da":"wsjcrypto","Tempo di lettura stimato":"1 minuto"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/","url":"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/","name":"Caution Ahead: Potential Vulnerabilities in Mist When Accessing Malicious DApps - WSJ-Crypto","isPartOf":{"@id":"https:\/\/wsj-crypto.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/#primaryimage"},"image":{"@id":"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/#primaryimage"},"thumbnailUrl":"https:\/\/wsj-crypto.com\/wp-content\/uploads\/2025\/02\/eth-org.jpeg","datePublished":"2025-02-19T22:55:43+00:00","author":{"@id":"https:\/\/wsj-crypto.com\/#\/schema\/person\/88a93723b30416db1a352d5a0096c4a7"},"breadcrumb":{"@id":"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/#breadcrumb"},"inLanguage":"it-IT","potentialAction":[{"@type":"ReadAction","target":["https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/"]}]},{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/#primaryimage","url":"https:\/\/wsj-crypto.com\/wp-content\/uploads\/2025\/02\/eth-org.jpeg","contentUrl":"https:\/\/wsj-crypto.com\/wp-content\/uploads\/2025\/02\/eth-org.jpeg","width":2100,"height":900},{"@type":"BreadcrumbList","@id":"https:\/\/wsj-crypto.com\/index.php\/2025\/02\/19\/caution-ahead-potential-vulnerabilities-in-mist-when-accessing-malicious-dapps\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/wsj-crypto.com\/"},{"@type":"ListItem","position":2,"name":"Caution Ahead: Potential Vulnerabilities in Mist When Accessing Malicious DApps"}]},{"@type":"WebSite","@id":"https:\/\/wsj-crypto.com\/#website","url":"https:\/\/wsj-crypto.com\/","name":"WSJ-Crypto","description":"Just Another Crypto News Website","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/wsj-crypto.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"it-IT"},{"@type":"Person","@id":"https:\/\/wsj-crypto.com\/#\/schema\/person\/88a93723b30416db1a352d5a0096c4a7","name":"wsjcrypto","image":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/wsj-crypto.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/86fe8af82ea089646d6639ca2f87e0243d8688d957bd8e3ec22ec3c457cc16d4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/86fe8af82ea089646d6639ca2f87e0243d8688d957bd8e3ec22ec3c457cc16d4?s=96&d=mm&r=g","caption":"wsjcrypto"},"url":"https:\/\/wsj-crypto.com\/index.php\/author\/wsjcrypto\/"}]}},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/wsj-crypto.com\/index.php\/wp-json\/wp\/v2\/posts\/8757","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wsj-crypto.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wsj-crypto.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wsj-crypto.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/wsj-crypto.com\/index.php\/wp-json\/wp\/v2\/comments?post=8757"}],"version-history":[{"count":2,"href":"https:\/\/wsj-crypto.com\/index.php\/wp-json\/wp\/v2\/posts\/8757\/revisions"}],"predecessor-version":[{"id":8759,"href":"https:\/\/wsj-crypto.com\/index.php\/wp-json\/wp\/v2\/posts\/8757\/revisions\/8759"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wsj-crypto.com\/index.php\/wp-json\/wp\/v2\/media\/8282"}],"wp:attachment":[{"href":"https:\/\/wsj-crypto.com\/index.php\/wp-json\/wp\/v2\/media?parent=8757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wsj-crypto.com\/index.php\/wp-json\/wp\/v2\/categories?post=8757"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wsj-crypto.com\/index.php\/wp-json\/wp\/v2\/tags?post=8757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}