Security Alert: Mist Browser Bug Puts Private Keys in Danger
The Mist team warns users of a bug found in Mist Browser Beta and provides a security checklist.
A post on the Ethereum blog today informs users of a bug in Mist Browser Beta that could potentially allow private keys to be stolen by malicious websites. The vulnerability affects Mist Browser Beta v0.9.3 and below.
A security alert from the Mist team published today on the Ethereum blog highlights how security update discrepancies across Mist, its underlying platform Electron, and the Chromium browser could compromise data privacy. The alert states:
“Due to a Chromium vulnerability affecting all released versions of the Mist Browser Beta v0.9.3 and below, we are issuing this alert warning users not to browse untrusted websites with Mist Browser Beta at this time.”
However they note that users of the Ethereum Wallet desktop app are not affected.
In the period following high-profile Ethereum-related security issues, notably Parity’s notorious hack and accidental quarantine of funds, developers are conspicuously keen to highlight their commitment to keeping on top of new problems.
The complex three-tier setup in Mist, Electron and Chromium nonetheless presents hurdles to security. In the security alert, the Mist team explains the complexities involved that cause vulnerability, saying:
“A core problem with the current architecture is that any 0-day Chromium vulnerability is several patch-steps away from Mist: first Chromium needs to be patched, then Electron needs to update the Chromium version, and finally, Mist needs to update to the new Electron version.”
Mist browser users are advised to follow a seven-step checklist to ensure maximum safety:
- Avoid keeping large quantities of Ether or tokens in private keys on an online computer.
- Back up your private keys.
- Do not visit untrusted websites with Mist.
- Do not use Mist on untrusted networks.
- Keep your day-to-day browser updated.
- Keep track of your Operating System and anti-virus updates.
- Learn how to verify file checksums.