This audit led to a lot of useful findings that strengthen the security of the Mist browser when interacting with external DApps.
Though we also found certain vulnerabilities in electron, which is what Mist (and others like: Brave, Slack and Gitter) uses that we can't fix fully at the current point in time, without changes on the electron side, which we communicated to them. Luckily their team is very responsive and right on track to fix those as i write.
For now don't visit untrusted DApps with your Mist browser to reduce risk!!
We will hopefully in the next release be able to secure the electron vulnerabilities and provide a safe browser experience.
Some of the security issues allowed:
- Execution of simple code in the Mist interface context
- Popping up spoofed alert windows
- Changing the interface by dragging files into it
- Directing to file paths (which is disabled for now, on some occasions)
- File path attacks using HTTP redirects
- UI breaks
We also fixed all issues on the Mist side that allowed to break the interface. We added a new 400 error page for disallowed URLs. We also improved the security of scripts running inside the DApps context and improved overall webview security. We might publish the full list of vulnerabilities at a later point in time.
Big thanks goes to @cure53 and their great team for disassembling Mist and especially its integration of third party content. We will very likely have follow up audits of more aspects of the Mist browser.
This release has major stability improvements on the node connection between tabs and the stability of the sockets, which were freezing Mist at times.
The wallet was also updated and should now have the problem with the confirmation windows solved.
Additionally we fixed the following issues:
- prompts users when there are geth updates and allows them to opt-in to update it
- fixed flickering of icons
- fixed directing of URLs into the browser tab
- fixed removal of wallet tab title