A post on the Ethereum blog today informs users of a bug in Mist Browser Beta that could potentially allowprivate keys to be stolen by malicious websites. The vulnerability affects Mist Browser Beta v0.9.3 and below.
A security alert from the Mist team published today on the Ethereum blog highlights how securityupdate discrepancies across Mist, its underlying platform Electron, and the Chromium browser could compromise data privacy. The alert states:
“Due to a Chromium vulnerability affecting all released versions of the Mist Browser Beta v0.9.3 and below, we are issuing this alert warning users not to browse untrusted websites with Mist Browser Beta at this time.”
In the period following high-profileEthereum-related securityissues, notably Parity’s notorious hack and accidental quarantine of funds, developers are conspicuously keen to highlight their commitment to keeping on top of new problems.
The complex three-tier setup in Mist, Electron and Chromium nonetheless presents hurdles to security. In the security alert, the Mist team explains the complexities involved that cause vulnerability, saying:
“A core problem with the current architecture is that any 0-day Chromium vulnerability is several patch-steps away from Mist: first Chromium needs to be patched, then Electron needs to update the Chromium version, and finally, Mist needs to update to the new Electron version.”
Avoid keeping large quantities of Ether or tokens in private keys on an online computer.
Back up your private keys.
Do not visit untrusted websites with Mist.
Do not use Mist on untrusted networks.
Keep your day-to-day browser updated.
Keep track of your Operating System and anti-virus updates.
Learn how to verify file checksums.