EF Blog

ETH top background starting image
ETH bottom background ending image
Skip to content

Security Alert - Mist can be vulnerable when navigating to malicious DApps

Posted by Fabian Vogelsteller on October 27, 2016

Security Alert - Mist can be vulnerable when navigating to malicious DApps

Mist leaks some low level APIs, which Dapps could use to gain access to the computer's file system and read/delete files. This would only affect you if you navigate to an untrusted Dapp that knows about these vulnerabilities and specifically tries to attack users. Upgrading Mist is highly recommended to prevent exposure to attacks.

Affected configurations: All versions of Mist from 0.8.6 and lower. This vulnerability doesn't affect the Ethereum Wallet since it can’t load external DApps. Likelihood: Medium Severity: High

Summary

Some Mist API methods were exposed, making it possible for malicious webpages to gain access to a privileged interface that could delete files on the local filesystem or launch registered protocol handlers and obtain sensitive information, such as the user directory or the user's "coinbase". Vulnerable exposed mist APIs:
mist.shell
mist.dirname
mist.syncMinimongo
web3.eth.coinbase
is now
null
, if the account is not allowed for the dapp

Solution

Upgrade to the latest version of the Mist Browser. Do not use any previous Mist versions to navigate to any untrusted webpage, or local webpages from unknown origins. The Ethereum Wallet is not affected as it doesn't allow navigation to external pages. This is a good reminder that Mist is currently only considered for Ethereum App Development and should not be used for end users to navigate on the open web until it has reached at least version 1.0. An external audit of Mist is scheduled for December.

A big thanks goes to @tintinweb for his very useful reproduction app to test the vulnerabilities!

We are also thinking of adding Mist to the bounty program, if you find vulnerabilities or severe bugs please contract us at bounty@ethereum.org

Categories