Security alert — Chromium vulnerability affecting Mist Browser Beta
Posted by Everton Fraga on December 15th, 2017.
Due to a Chromium vulnerability affecting all released versions of the Mist Browser Beta v0.9.3 and below, we are issuing this alert warning users not to browse untrusted websites with Mist Browser Beta at this time. Users of “Ethereum Wallet” desktop app are not affected.
Affected configurations: Mist Browser Beta v0.9.3 and below
Likelihood: Medium
Severity: High
Malicious websites can potentially steal your private keys.
As Ethereum Wallet desktop app does not qualify as a browser — it accesses only the local Wallet Dapp — it is not subject to the same category of issues present in Mist. For now, it is recommended to use Ethereum Wallet to manage funds and interact with smart contracts instead.
(…) The Mist browser is based on Electron, which is based on Chromium. Each new Chromium release fixes numerous security issues.
The layer between Mist and Chromium, Electron, is a project led by GitHub that aims to ease the creation of cross-platform applications using JavaScript. Recently, Electron hasn’t kept up to date with Chromium, leading to an increasing potential attack surface as time passes.
(…) We’re examining how we could deal with Electron’s not-so-frequent release schedule, to reduce the gap between Chromium versions we use. From preliminary studies, Brave’s Muon (an Electron fork) follows Chromium updates closely and is one potential option. (…)
An important reminder: Mist is still beta software, and you must treat it as such. (…)
Quick security checklist:
- Avoid keeping large quantities of ether or tokens in private keys on an online computer. Instead, use a hardware wallet, an offline device or a contract-based solution (preferably a mix of those).
- Back up your private keys — Cloud services are not the best option to store it.
- Do not visit untrusted websites with Mist.
- Do not use Mist on untrusted networks.
- Keep your day-to-day browser updated.
- Keep track of your Operating System and anti-virus updates.
- Learn how to verify file checksums (link).
- Lastly, we would like to thank the security researchers that worked hard on reproducing and making invaluable submissions through the Ethereum Bounty program.
If you need further information, get in touch here: mist[at]ethereum dot org.
[We’ll update this post as the situation evolves].
@evertonfraga
Mist Team”