Inherent Security Risks of MyEtherWallet

in #mew7 years ago (edited)

While attempting to help the community with the EOS Crowdsale, despite my best efforts, it is possible I have not been clear enough about the dangers of using the MEW web wallet.

The original write up was provided due to a high demand of more clear instructions with regards to contributing to EOS Crowdsale with MEW. Therefor, it could be inferred these users were already experienced and knew the risks associated to its usage.

The official http://eos.io instructions did not include instructions for the register function, nor did it explain the importance of the registration process. The instructions on MyEtherWallet.com existing contracts are lacking, and it caused an influx of confused contributors. After a few days of helping in the EOS telegram, we found ourselves answering the same questions over and over. In an attempt to make this easier, I posted multiple articles to make sharing information more efficient.

These articles are now being utilized by less sophisticated users, and so has presented an inherent knowledge gap. After dealing with some flag-abuse in response to a disagreement in precision of language used to describe the security risks of using MEW in my last post, I decided it may be a good idea to elaborate on inherent risks of web wallets but particularly MyEtherWallet otherwise known as MEW

As I have said in previous posts, you should always conduct your own research, and trust no one. Personal responsibility is a core tenant of crypto, and so, for me to provide every excruciating detail would have bloated these posts beyond the label of tl;dr, into the realm of "This is the most irrelevant article in my life, CLICK BAIT!"

Before we begin no software is "safe," as long as a device is connected to a network, the aim of being "unhackable" is a pipe dream. Your greatest weapon is knowledge and controlling your exposure

The Server

When you use a wallet on a third-party's server, you can never be certain of their intentions or commitment to a project. Web wallets require trust in a trustless system, and to some degree, it is oil in water. They exist and are tolerated for the purpose of accessibility to a larger demographic. Even though the web-wallet is client-side, meaning code that runs in your browser, if the administrator was a bad actor or the server were compromised, changes could be made to client-side source code to call home (a.k.a. send data to the server) with information you have entered into that website. There are numerous methods to achieve this, including but not limited to, ajax, cookies and exploiting canvas.

There are no glaring indications at this time (July 5th 9:10PM CET [UTC+2]) that MEW contains any malicious code. If MEW patched malicious code into their repository, or onto their web app, security aware users would likely catch it fairly quickly This statement will be deprecated once I have lost the ability to update this post due to Steem archiving

Client-Side Dangers

I didn't originally include this as a vulnerability because this is not exclusive to MEW or Web Wallets or even Cryptocurrency. Browser extensions can be granted access to the Document Object Model (DOM) and in some cases this access could enable an extension to sniff/manipulate data on a page, such as your keys. Depending on the functionality exposed by the extension and if it has a server interaction itself, a "trusted" extension could be compromised and thus exploit access it has been granted. I can actually find no event where this actually occurred, but it's not impossible and security is a combination or probability, entropy, obscurity and technical exposure. If you install an extension manually in developer mode, then the extension may not have passed "community guidelines" for the browser you are using. For example, Chrome has a number of security measures in place, and has limitations on an Extensions access, but relies mostly on the Swarm to report malicious extensions and as a result does open an attack vector.

Security Audits

MyEtherWallet has never been formally audited by a third-party, this infers there could be associated vulnerabilities or zero-days that are unbeknownst even to the developers, assuming they are not bad actors. While the attack vector of a client-side wallet is incredibly limited, particularly when running on a local machine, that does not mean there are no inherent risks.

Questionable Behaviors and Characteristics

  • During the Status ICO, the administrator of MEW put a misleading message to users regarding the status of Status (no pun intended), lying to users and telling them the crowdsale was over.
  • The developer of MEW is known to be a bit hot-tempered and a poor communicator. A year or so ago, he said that MEWs donations, at that time 80 ether (then worth less than $10/ETH) was not enough to pay for an audit. He now has more than enough ether to pay for an audit, but there is no indication this is being pursued.

While MyEtherWallet is generally a trusted service in the Ethereum community, there is always a chance things could go sideways. The best way to interact with MyEtherWallet is to search for offline transactions with MyEtherWallet and learn about air-gapping.

Note: Trezor usage on MyEtherWallet has a very narrow attack vector, as all signing occurs on the device so MEW is not aware of your private keys, nor can it easily alter a transaction after it has been signed. There is still possibility of attack, but it would require negligence on your behalf to work and precise circumstances

Dangers still exist with running MEW locally

  • If your machine is compromised, running locally is potentially worse, and you're probably already pwned.
  • Any machine connected to the internet that stores or has in memory private keys is technically at risk.
  • While unlikely, if malicious code were committed to the repository and then you downloaded it and used it on an internet connected device, you could compromise your keys.

Reduce the Attack Vector

As mentioned in several of the EOS Crowdsale MEW Guides, there's some steps you can take to protect yourself if you want to use MEW.

  1. Download from the Github Repository and run locally.
  2. Configure MEW to use a local node instead of a third-party node, like parity (this can also be done on web version)
  3. Use offline signatures.
  4. Never keep your private key in your clipboard for longer than you have to, and for maximum protection, never store your private keys on any internet connected device.

MEW Alternatives

To be considered a suitable "MEW alternative" for most users, for the purpose of this article and its intended audience, a wallet client should meet certain specifications.

Minimum Requirements

  • Allow importing/exporting a wallet
  • Provides access to private keys/mnemonic phrase
  • Contract ABI compatibility
  • Has a GUI

Lite Wallet Alternative

Hot Wallet Alternative

  • Ethereum-Wallet ... Technically Mist too, but it's a bit overkill as a wallet at this point in time.

Final Words

It's been a pleasure helping all of you over the past 10 days. However, the trolls frequenting the channel have slowly taken a toll on me, and my last interactions brought me to zero. I'm going to be taking a break from both Steem and helping out with the Crowdsale for a while. There are very helpful and knowledgable people in the EOS telegram that can assist you with any problems you may encounter. At the time of this writing @ake0s and @hadrian are active volunteers, with EOS staff @daniellarimer and @josh as regulars.

Egészségére

Sort:  

Thank you @sandwich. This is a very well written post.

I don't think we need to go back into discussion about why I was flagging you, but I was flagging inappropriate comments. It is ok to disagree with a person.. it is less okay to resort to insults while making your point.

I have provided this post with a 100% upvote.

Thanks. If you visit our thread you will see a retraction and my views on the matter. Water under the bridge as far as I am concerned.

An article that everybody using MEW should read! Yet it would be best, if you also mentioned alternative solutions in your article. Thanks

Updated.

Thanks for all of your efforts, Ser Sandwich.

"During the Status ICO, the administrator of MEW put a misleading message to users regarding they status of Status (no pun intended), lying to users and informing them about" - that is very true. I thought I was the only one that noticed this message they put there. I actually thought it came from the Status contract itself. Good article though!

Thanks for all your help and effort!

I'm one of those less sophisticated users...thanks for the additional info. Could you briefly explain (just in a sentence) what's the major difference between buying the EOS tokens on Bitfinex and buying it through MEW /MetaMask.

One is the distribution ICO and one is the market. Which one is the better deal is influenced by random factors, but the likelihood that they are at or around the same price is high. And I believe this is by design.

Thanks @sandwich, got it! I'll just need to complete Step 3: EOS Public Key Mapping from your guide to claim few tokens I've bought on Day 1.

Glad it worked out for you.

And a broad one: Should we expect alternative crypto currencies price drop after Aug 1?

Great and well detailed post there @sandwich. Following you

Thanks. I never even thought about it much when using MEW. I'll look into using metamask in the future.

@sandwich - Thank you so much!! I've been reading lots of your posts recently as I'm learning about Ethereum and storing tokens. Looks like I may need to use an alternative to MEW. You've provided great content, which has really accelerated my learning (while also making me realise just how little I know!) I'm new to Steemit so it's nice to see how helpful people are on here. Love it :)

Congratulations @sandwich! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 3 years!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Do not miss the last post from @steemitboard:

SteemitBoard - Witness Update
Vote for @Steemitboard as a witness to get one more award and increased upvotes!

Congratulations @sandwich! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s) :

You received more than 3000 as payout for your posts. Your next target is to reach a total payout of 4000

You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP