While attempting to help the community with the EOS Crowdsale, despite my best efforts, it is possible I have not been clear enough about the dangers of using the MEW web wallet.
The original write up was provided due to a high demand of more clear instructions with regards to contributing to EOS Crowdsale with MEW. Therefor, it could be inferred these users were already experienced and knew the risks associated to its usage.
The official http://eos.io instructions did not include instructions for the register function, nor did it explain the importance of the registration process. The instructions on MyEtherWallet.com existing contracts are lacking, and it caused an influx of confused contributors. After a few days of helping in the EOS telegram, we found ourselves answering the same questions over and over. In an attempt to make this easier, I posted multiple articles to make sharing information more efficient.
These articles are now being utilized by less sophisticated users, and so has presented an inherent knowledge gap. After dealing with some flag-abuse in response to a disagreement in precision of language used to describe the security risks of using MEW in my last post, I decided it may be a good idea to elaborate on inherent risks of web wallets but particularly MyEtherWallet otherwise known as MEW
As I have said in previous posts, you should always conduct your own research, and trust no one. Personal responsibility is a core tenant of crypto, and so, for me to provide every excruciating detail would have bloated these posts beyond the label of tl;dr, into the realm of "This is the most irrelevant article in my life, CLICK BAIT!"
Before we begin no software is "safe," as long as a device is connected to a network, the aim of being "unhackable" is a pipe dream. Your greatest weapon is knowledge and controlling your exposure
When you use a wallet on a third-party's server, you can never be certain of their intentions or commitment to a project. Web wallets require trust in a trustless system, and to some degree, it is oil in water. They exist and are tolerated for the purpose of accessibility to a larger demographic. Even though the web-wallet is client-side, meaning code that runs in your browser, if the administrator was a bad actor or the server were compromised, changes could be made to client-side source code to call home (a.k.a. send data to the server) with information you have entered into that website. There are numerous methods to achieve this, including but not limited to, ajax, cookies and exploiting canvas.
There are no glaring indications at this time (July 5th 9:10PM CET [UTC+2]) that MEW contains any malicious code. If MEW patched malicious code into their repository, or onto their web app, security aware users would likely catch it fairly quickly This statement will be deprecated once I have lost the ability to update this post due to Steem archiving
I didn't originally include this as a vulnerability because this is not exclusive to MEW or Web Wallets or even Cryptocurrency. Browser extensions can be granted access to the Document Object Model (DOM) and in some cases this access could enable an extension to sniff/manipulate data on a page, such as your keys. Depending on the functionality exposed by the extension and if it has a server interaction itself, a "trusted" extension could be compromised and thus exploit access it has been granted. I can actually find no event where this actually occurred, but it's not impossible and security is a combination or probability, entropy, obscurity and technical exposure. If you install an extension manually in developer mode, then the extension may not have passed "community guidelines" for the browser you are using. For example, Chrome has a number of security measures in place, and has limitations on an Extensions access, but relies mostly on the Swarm to report malicious extensions and as a result does open an attack vector.
MyEtherWallet has never been formally audited by a third-party, this infers there could be associated vulnerabilities or zero-days that are unbeknownst even to the developers, assuming they are not bad actors. While the attack vector of a client-side wallet is incredibly limited, particularly when running on a local machine, that does not mean there are no inherent risks.
While MyEtherWallet is generally a trusted service in the Ethereum community, there is always a chance things could go sideways. The best way to interact with MyEtherWallet is to search for offline transactions with MyEtherWallet and learn about air-gapping.
Note: Trezor usage on MyEtherWallet has a very narrow attack vector, as all signing occurs on the device so MEW is not aware of your private keys, nor can it easily alter a transaction after it has been signed. There is still possibility of attack, but it would require negligence on your behalf to work and precise circumstances
As mentioned in several of the EOS Crowdsale MEW Guides, there's some steps you can take to protect yourself if you want to use MEW.
To be considered a suitable "MEW alternative" for most users, for the purpose of this article and its intended audience, a wallet client should meet certain specifications.
It's been a pleasure helping all of you over the past 10 days. However, the trolls frequenting the channel have slowly taken a toll on me, and my last interactions brought me to zero. I'm going to be taking a break from both Steem and helping out with the Crowdsale for a while. There are very helpful and knowledgable people in the EOS telegram that can assist you with any problems you may encounter. At the time of this writing @ake0s and @hadrian are active volunteers, with EOS staff @daniellarimer and @josh as regulars.
Egészségére
