In Ethereum Mist browser vulnerability discovered

December 15, the official blog of the Fund Ethereum there was a message about the discovery of serious vulnerabilities in the browser Ethereum Mist version 0.9.3 and all previous versions. Vulnerability found in the code of the Chromium browser, which is used in the Mist.

In the official wallet Ethereum Ethereum Wallet vulnerability not. At the time of this writing, no information about the Mist break-ins were reported.

As stated in the blog:

  • Vulnerable configuration: Mist browser Beta v0.93 and below;

  • Probability: medium;

  • The seriousness of the problem: high;

  • When visiting a fraudulent page, using the Mist can be stolen private keys.

Because the application for desktop computers Ethereum Wallet is not a browser – it’s a local wallet, it does not deal with the problem of Mist and the developers recommend to use it for transactions and interaction with smart contracts.

Historically, the official wallet Ethereum was called Mist, and its division into the Mist browser and wallet Ethereum Wallet occurred relatively recently, so many users of the old memory is called wallet and the browser equally – Mist.

Despite the fact that the official message appeared only on December 15, a week ago, users Mist seen on its main page, notice that because of possible vulnerabilities, it is not recommended to visit unknown pages.

Browser Mist should become a unifying element of the Ethereum and blockchain technology layer, which constitutes Web 3.0, and is an important part of the ecosystem. However, recently, more widespread browser Metamask, which is a Chrome browser extension. At the time of writing, no comment from team Metamask about the situation were reported.

From the point of view of security, the creation of a browser — that is, the application that loads code from an unknown source, is a complex task. The Mist browser is built on the platform of Electron, which is based on Chromium. Numerous errors in the security system of Chromium are fixed in each new release.

Middleware Electron
ensures the establishment of various cross-platform applications using JavaScript. Until recently, the speed of the Electron updates behind updates Chromium. Therefore, the main drawback of this architecture is that any discovered vulnerability Chromium is out of reach of team Mist: first you need a patch for Cromium, then the Electron must update its version of Chromium, and only then Mist can be updated to the next version of Electron.

The Mist team is studying various options in order to reduce the backlog of updates from Chromium. According to the preliminary findings, the best potential solution may be to Brave Muon – Electron fork that uses the browser’s Brave, which places high demands on security, as he integrated with cryptocurrency wallet BAT.

Добавить комментарий