Ethereum Blog

Security Alert – Mist can be vulnerable when navigating to malicious DApps

Introduction

user

Fabian Vogelsteller

Author, Meteorjs enthusiast and Web3.js and Mist developer for the ethereum project and creator of the feindura - flat file based CMS.


LATEST POSTS

Security Alert – Smart Contract Wallets created in frontier are vulnerable to phishing attacks 24th June, 2016

Ethereum Wallet – Developer Preview 16th September, 2015

release

Security Alert – Mist can be vulnerable when navigating to malicious DApps

Posted on .

Mist leaks some low level APIs, which Dapps could use to gain access to the computer’s file system and read/delete files. This would only affect you if you navigate to an untrusted Dapp that knows about these vulnerabilities and specifically tries to attack users. Upgrading Mist is highly recommended to prevent exposure to attacks.

Affected configurations: All versions of Mist from 0.8.6 and lower. This vulnerability doesn’t affect the Ethereum Wallet since it can’t load external DApps.
Likelihood: Medium
Severity: High

Summary

Some Mist API methods were exposed, making it possible for malicious webpages to gain access to a privileged interface that could delete files on the local filesystem or launch registered protocol handlers and obtain sensitive information, such as the user directory or the user’s “coinbase”.
Vulnerable exposed mist APIs:
mist.shell
mist.dirname
mist.syncMinimongo
web3.eth.coinbase is now null, if the account is not allowed for the dapp

Solution

Upgrade to the latest version of the Mist Browser. Do not use any previous Mist versions to navigate to any untrusted webpage, or local webpages from unknown origins. The Ethereum Wallet is not affected as it doesn’t allow navigation to external pages.
This is a good reminder that Mist is currently only considered for Ethereum App Development and should not be used for end users to navigate on the open web until it has reached at least version 1.0. An external audit of Mist is scheduled for December.

A big thanks goes to @tintinweb for his very useful reproduction app to test the vulnerabilities!

We are also thinking of adding Mist to the bounty program, if you find vulnerabilities or severe bugs please contract us at bounty@ethereum.org

profile

Fabian Vogelsteller

http://frozeman.de

Author, Meteorjs enthusiast and Web3.js and Mist developer for the ethereum project and creator of the feindura - flat file based CMS.

Comments
user

Author James Pitts

Posted at 8:01 am October 28, 2016.

Those using Mist have to remember that this software is under active development… which depends on geth, also under active development… which depends on the Ethereum network and all of the dramatic changes that it is going through.

Reply

Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

View Comments (1) ...
Navigation