Security Alert — Chromium Vulnerability Affecting Mist Browser Beta

Due to a Chromium vulnerability affecting all release versions prior to Mist Browser Beta v0.9.3, we are issuing this warning warning users not to browse untrusted websites with the current Mist Browser Beta. Users of the “Ethereum Wallet” desktop app are not affected.

Configurations Affected: Mist Browser Beta v0.9.3 and earlier Likelihood: Medium Severity: High

Malicious websites can potentially steal your private keys.

The Ethereum Wallet desktop app does not have browser credentials, so it only accesses the local Wallet Dapp, so the same category of issues that exist in Mist do not apply. For now I recommend using: Ethereum Wallet Instead, it manages your funds and interacts with smart contracts.

Mist Browser’s vision is to be a fully user-facing bridge to the Ethereum blockchain and the set of technologies that make up Web3. Browsers pave the way for the next generation of the web that our ecosystem is proud to build.

From a security perspective, creating a browser (and an app that loads untrusted code) that handles private keys is a difficult task. Over the past year, we have had Cure53 conduct an extensive security audit of Mist and have significantly improved the security of the Mist browser and its underlying platform, Electron. Any security issues discovered were immediately fixed.

But that alone is not enough. Security in the browser space is a never-ending battle. The Mist browser is based on Electron, which is based on Chromium. Each new Chromium release fixes numerous security issues.

Layer between mist and chrome, formeris a GitHub-led project that aims to make it easy to create cross-platform applications using JavaScript. Recently, Electron has not kept Chromium up to date, increasing its potential attack surface over time.

The core problem with the current architecture is that zero-day Chromium vulnerabilities are several patch stages from Mist. First, Chromium needs to be patched, Electron needs to update its Chromium version, and finally Mist needs to be updated to the new version. Electronic version.

We’re looking at how we can handle Electron’s less frequent release schedule to bridge the gap between the Chromium versions we use. Through preliminary research, Brave’s Muon (electronic fork) follows Chromium updates closely and is one potential option. The Brave browser, which also includes cryptocurrency wallet integration, has a similar threat model and security requirements as Mist.

Important note: Mist is still beta software and should be treated as such. Mist Browser Beta is provided “as is” and “as available” and without warranties of any kind, express or implied, including, but not limited to, warranties of merchantability or fitness for purpose. Quick security checklist:

• Do not store large amounts of Ether or tokens in your private keys on online computers. Instead, use hardware wallets, offline devices, or contract-based solutions (preferably a mix of these).
• Backup your private keys – Cloud services are not the best option for storing your private keys.
• Don’t use Mist to visit untrusted websites.
• Do not use Mist on untrusted networks.
• Keep your everyday browser up to date.
• Track operating system and antivirus updates.
• Learn how to check file checksum (link).

Finally, we would like to thank the security researchers who worked hard to reproduce and submit valuable material. Ethereum Bounty Program.

If you require further information, please contact us here. Mist(at)Ethereum Dot org.

(I will update this post as the situation develops).

@evertonfraga Mist Team