A security alert has been issued to users of the Mist Beta browser, as all versions of the released software are vulnerable to a Chromium vulnerability. We strongly advise users who have used untrusted websites since the v0.9.3 or earlier versions of Mist to pay attention to this warning. At this time, the “Ethereum Wallet” desktop app is not affected by this issue.

Affected Configuration: Mist Beta v0.9.3 or lower
Likelihood: Medium
Severity: High

Malicious websites could potentially steal private keys.

As the Ethereum Wallet is not a browser, but rather a desktop application that accesses local resources, it is not subject to the same threats as other pieces of software. We strongly recommend using the Ethereal Wallet as it allows for secure interaction with smart contracts and management of funds.

The aim of the Mist Browser is to provide a user-friendly interface to the Ethereum blockchain and the technologies it is built upon. As the ecosystem continues to grow, the challenge of creating a secure browser (an app that loads untrusted codes) that can handle private keys is becoming increasingly difficult. To address this, Cure53 conducted a thorough security audit which resulted in a great enhancement of the security and efficiency of the system.

But this is not enough. As security in the browser space is an ever-evolving battle, Mist is built upon Electron, which is based on Chromium. Each new version of Chromium resolves security issues, so it is important to update the version of Electron. We are currently exploring how to update Chromium with less latency, and a project called “GitHub – Very Brave” (a fork of Electron) is following Chromium closely. The Brave browser also includes a cryptocurrency wallet, and has a similar threat model and security requirements as Mist.

It is important to remember that Mist is still in Beta, so it should be treated as such. It is provided “as is” and “as available” with no express or implied warranties. Here is a quick checklist for users:

• Avoid storing large amounts of tokens or ether in your online computer’s private keys, instead use a hardware wallet, an offline device or a contract-based system (preferably a combination).
• Back up private keys – cloud storage is not the best way to do this.
• Do not visit untrustworthy sites with Mist.
• Do not use Mist on untrusted networks.
• Keep your browser updated regularly.
• Keep an eye on your operating system and any antivirus updates.
• Learn how to verify checksums in files (link).

We would like to express our appreciation to the security researchers who contributed to the Ethereum bounty program by reproducing and reporting this issue.

For more information, please email us at fog[at]etherealpoint.org. We will update this post as the situation develops.

@evertonfraga Fog Team