\n<\/p>\n
Due to a Chromium vulnerability affecting all released versions of the Mist Browser Beta v0.9.3 and below, we are issuing this alert warning users not to browse untrusted websites with Mist Browser Beta at this time. Users of “Ethereum Wallet” desktop app are not affected.<\/p>\n
Affected configurations: Mist Browser Beta v0.9.3 and below
\nLikelihood: Medium
\nSeverity: High<\/p>\n
Malicious websites can potentially steal your private keys.<\/p>\n
As Ethereum Wallet desktop app does not qualify as a browser \u2014 it accesses only the local Wallet Dapp \u2014 it is not subject to the same category of issues present in Mist. For now, it is recommended to use Ethereum Wallet<\/a> to manage funds and interact with smart contracts instead.<\/p>\n Mist Browser’s vision is to be a complete user-facing bridge to the ethereum blockchain and set of technologies that compose the Web3. The browser paves a significant path for the next Web our ecosystem is proudly building.<\/p>\n Security-wise, making a browser (an app that loads untrusted code) that handles private keys is a challenging task. Over the course of the last year, we have had Cure53 conduct an extensive security audit of Mist, and vastly improved the security of both the Mist browser and the underlying platform, Electron. We’ve promptly fixed found security issues.<\/p>\n But that is not enough. Security in the browser space is a never-ending battle. The Mist browser is based on Electron, which is based on Chromium. Each new Chromium release fixes numerous security issues.<\/p>\n The layer between Mist and Chromium, Electron<\/a>, is a project led by GitHub that aims to ease the creation of cross-platform applications using JavaScript. Recently, Electron hasn’t kept up to date with Chromium, leading to an increasing potential attack surface as time passes.<\/p>\n A core problem with the current architecture is that any 0-day Chromium vulnerability is several patch-steps away from Mist: first Chromium needs to be patched, then Electron needs to update the Chromium version, and finally, Mist needs to update to the new Electron version.<\/p>\n We’re examining how we could deal with Electron’s not-so-frequent release schedule, to reduce the gap between Chromium versions we use. From preliminary studies, Brave’s Muon<\/a> (an Electron fork) follows Chromium updates closely and is one potential option. The Brave browser, which also contains a cryptocurrency wallet integration, has a similar threat-model and demands for security as Mist.<\/p>\n An important reminder: Mist is still beta software, and you must treat it as such. The Mist Browser beta is provided on an “as is” and “as available” basis and there are no warranties of any kind, expressed or implied, including, but not limited to, warranties of merchantability or fitness of purpose. Lastly, we would like to thank the security researchers that worked hard on reproducing and making invaluable submissions through the Ethereum Bounty program<\/a>.<\/p>\n
\nQuick security checklist:<\/p>\n\n