Mist discloses some low level APIs, which the DAPPs could use to access the computer file system and read / delete files. This would only affect you if you navigate to an unreliable DAPP who knows these vulnerabilities and specifically tries to attack users. The upgrade of the mist is highly recommended to prevent exposure to attacks.
Configurations affected: All versions of Mist from 0.8.6 and lower. This vulnerability does not affect the Ethereum portfolio because it cannot load external DAPPs.
Probability: AVERAGE
Severity: High
Summary
Certain API walls have been exposed, which allows malicious web pages to access a privileged interface that could delete files on the local file system or launch recorded protocol managers and obtain sensitive information, such as the user or user “Coinbase” directory. Vulnerable exposed MIST API:
mist.shell
mist.dirname
mist.syncMinimongo
web3.eth.coinbase
is now
null
If the account is not allowed for the DAPP
Solution
Upgrade Latest version of the Mist browser. Do not use previous MIST versions to navigate to an unreliable web page or local web pages from unknown origin. The Ethereum portfolio is not affected because it does not allow navigation on external pages. This is a good reminder that the mist is currently considered only for the development of Ethereum applications and should not be used so that end users can navigate on the Open Web until it has reached at least version 1.0. An external audit of the mist is scheduled for December.
A big thank you goes to @tintinweb For its very useful reproduction application to test vulnerabilities!
We also plan to add mist on the Bounty program, if you find vulnerabilities or serious bugs, please contract us reboundy@ethereum.org