Mist Browser Dev Team Identifies Potential Exposure of Ether Private Keys
The Mist Browser, the “tool of choice to browse and use Ðapps” according to its official Github page, has just announced that they have detected a bug in their beta version. The bug could allow for shady websites to lift your digital keys right out of your ether wallet, thus gaining total control over your funds.
In the security alert which appeared on December 15, Mist Browser Beta versions 0.9.3 and lower are at risk, and should users of the software should not “browse untrusted websites with Mist Browser Beta at this time.”
What is Mist Browser?
Mist is a web browser and Ethereum wallet bundled into one package. It is designed to be the Ethereum network interface for the average user. Today, in order to use Ethereum-powered Dapp sites such as CryptoKitties or the demo casino games on the FunFair page, you need to use Google Chrome and have the browser extension MetaMask installed. While this is fine for most serious Ethereum users, it represents a large friction point when it comes to entering the ecosystem.
Mist is instead aiming itself at becoming a highly intuitive and user-friendly experience that will provide a seamless experience for interacting with Dapps. The Mist project was initially announced back in 2014 by Alex Van de Sande in this video on the official Ethereum YouTube channel.
How Serious is the Bug?
The bug, which is caused by a “Chromium vulnerability” was detected and being attended to before the general release of the software. This is important because it means that as far as we know, no one has fallen victim to theft through this particular vulnerability.
Secondly, it shows us that the team behind Mist are generally doing an excellent job of staying on top of things. They are detecting and resolving issues before they become major hacks or thefts.
In the security alert, the Mist dev team comments that “Security-wise, making a browser (an app that loads untrusted code) that handles private keys is a challenging task.”
Most people today that interact with the Ethereum blockchain either do so directly or through a highly trusted and vetted intermediary, like a well-respected wallet. In the future, millions of people each day could be interacting with Dapps of all sorts directly through their browser; this means that they would need to be able to send and receive ether or other ERC-20 tokens natively and within the software.
The situation outlined above is where the challenging risk comes about. Indeed it is a balancing act between user-friendliness, convenience, and security.