Mist leaks some low-level APIs, which Dapps might use to entry the pc’s file system and skim/delete recordsdata. This might solely have an effect on you when you go to an untrusted Dapp that is aware of about these vulnerabilities and is particularly attempting to assault customers. A Mist improve is very beneficial to stop publicity to assaults.
Affected configurations: All variations of Mist from 0.8.6 and beneath. This vulnerability doesn’t have an effect on the Ethereum pockets because it can’t load exterior DApps.
Chance: Medium
Seriousness: Excessive
Summary
Some strategies of the Mist API have been uncovered, which gave malicious web sites entry to a privileged interface that would delete recordsdata on the native file system or run registered protocol handlers and acquire delicate data, such because the person’s listing or person’s “coinbase”. Uncovered Fog APIs:
mist.shellmist.dirnamemist.syncMinimongoweb3.eth.coinbaseis now
nullif account is just not allowed for dapp
The answer
Improve to the newest model of the Mist browser. Don’t use any earlier model of Mist to navigate to an untrusted web site or native web sites of unknown origin. This doesn’t have an effect on the Ethereum pockets because it doesn’t permit navigation to exterior websites. This can be a good reminder that Mist is at the moment solely thought of for Ethereum utility growth and shouldn’t be used for finish customers to navigate the open net till it reaches no less than model 1.0. An exterior audit of Mist is scheduled for December.
An enormous thanks goes out @tintinweb for his very helpful playback app for testing vulnerabilities!
We’re additionally contemplating including Mist to the bounty program, when you discover any vulnerabilities or critical bugs please contact us at bounty@ethereum.org
