Mist leaks some low level APIs, which Dapps could use to gain access to the computer’s file system and read/delete files. This would only affect you if you navigate to an untrusted Dapp that knows about these vulnerabilities and specifically tries to attack users. Upgrading Mist is highly recommended to prevent exposure to attacks.
Affected configurations: All versions of Mist from 0.8.6 and lower. This vulnerability doesn’t affect the Ethereum Wallet since it can’t load external DApps.
Likelihood: Medium
Severity: High
Summary
Some Mist API methods were exposed, making it possible for malicious webpages to gain access to a privileged interface that could delete files on the local filesystem or launch registered protocol handlers and obtain sensitive information, such as the user directory or the user’s “coinbase”.
Vulnerable exposed mist APIs:
mist.shellmist.dirnamemist.syncMinimongoweb3.eth.coinbaseis now
null, if the account is not allowed for the dapp
Solution
Upgrade to the latest version of the Mist Browser. Do not use any previous Mist versions to navigate to any untrusted webpage, or local webpages from unknown origins. The Ethereum Wallet is not affected as it doesn’t allow navigation to external pages.
This is a good reminder that Mist is currently only considered for Ethereum App Development and should not be used for end users to navigate on the open web until it has reached at least version 1.0. An external audit of Mist is scheduled for December.
A big thanks goes to @tintinweb for his very useful reproduction app to test the vulnerabilities!
We are also thinking of adding Mist to the bounty program, if you find vulnerabilities or severe bugs please contract us at bounty@ethereum.org
