Mist leaks some low-level APIs that Dapps can use to access your computer’s file system and read or delete files. This only affects you if you go to an untrusted Dapp that is aware of these vulnerabilities and is specifically trying to attack you. We recommend upgrading Mist to avoid exposure to attacks.
Affected Configurations: All Mist versions below 0.8.6. This vulnerability does not affect Ethereum wallets as it cannot load external DApps.
something that could happen: middle
severity: High
summary
Some Mist API methods are exposed, allowing malicious web pages to access privileged interfaces that can delete files on the local file system, execute registered protocol handlers, and obtain sensitive information such as the user directory or the user’s “coinbase”. It has become possible. Vulnerable exposed Mist API:
mist.shellmist.dirnamemist.syncMinimongoweb3.eth.coinbasenow
nullIf the account is not accepted for dapp
solution
Upgrade to: Latest version of Mist browser. Do not use older versions of Mist to navigate to untrusted webpages or local webpages from unknown sources. Ethereum wallets are not affected as they do not allow external page navigation. This is a reminder that Mist is currently only being considered for Ethereum app development and should not be used by end users to browse the public web until it reaches at least version 1.0. Mist’s external audit is scheduled for December.
a big thank you @tintinweb There is a repro app that is very useful for testing vulnerabilities!
We are also thinking about adding Mist to our bounty program. If you discover any vulnerabilities or serious bugs, please contact us at: bounty@ethereum.org