"Due to a Chromium vulnerability affecting all released versions of the Mist Browser Beta v0.9.3 and below, we are issuing this alert warning users not to browse untrusted websites with Mist Browser Beta at this time," wrote Mist developer Everton Fraga in a post to the Ethereum Foundation website on December 15, 2017. "Users of 'Ethereum Wallet' desktop app are not affected."
The vulnerability is listed with a "medium" likelihood and a "high" severity, as "malicious websites can potentially steal your private keys."
"For now, it is recommended to use Ethereum Wallet to manage funds and interact with smart contracts instead," explained Fraga.
It appears that rollout delays have impeded the timely development of patches.
"A core problem with the current architecture is that any 0-day Chromium vulnerability is several patch-steps away from Mist," wrote Fraga. "First Chromium needs to be patched, then Electron needs to update the Chromium version, and finally, Mist needs to update to the new Electron version."
Fraga also reminded users that "Mist is still beta software, and you must treat it as such." He notes that "there are no warranties of any kind, expressed or implied, including, but not limited to, warranties of merchantability or fitness of purpose."
He closed with a "Quick security checklist," reproduced below:
- Avoid keeping large quantities of ether or tokens in private keys on an online computer. Instead, use a hardware wallet, an offline device or a contract-based solution (preferably a mix of those).
- Back up your private keys — Cloud services are not the best option to store it.
- Do not visit untrusted websites with Mist.
- Do not use Mist on untrusted networks.
- Keep your day-to-day browser updated.
- Keep track of your Operating System and anti-virus updates.
- Learn how to verify file checksums (link).