... or why you should not navigate your Mist Browser (<=0.8.6) to untrusted websites... (Details)

Long story short, mist currently allows any website to ...

• execute arbitrary commands on your machine (permissions of mist browser) [windows, macos]
• delete arbitrary files [windows, macos, linux]
• read/write/overwrite shortcut links to arbitrary locations [windows]
• get your main ethereum account and balance even though you are in anonymous (unconnected) mode revealing your identity without your consent [windows, macos, linux]
• enumerate the local mist application path, platform and pot. leaking your local username revealing your identity in anonymous mode

Besides that, mist ...

• does not warn you when connecting to insecure Ðapp/sites leaving you vulnerable to MitM attacks (http allowed)
• does not protect known critical sites like wallet.ethereum.org with HSTS
• does not warn you if you pin multiple Ðapp sharing the same name dapp name
• relies on a web-hosted default wallet that kind of is a single-point target of exploitation to own ethereum mist users

and the wallet.ethereum.com dapp ...

• does not protect from framing attacks (clickjacking)

Have your ethereum client tested, read the disclaimer and click the blue button below to start the test.
Note:The test is not performing any harmful operations. Pot. harmful operations like executing commands may require user interaction, see details.

Disclaimer

/* This program is free software. It comes without any warranty, to
 * the extent permitted by applicable law. You can redistribute it
 * and/or modify it under the terms of the GNU General Public License,
 * Version 2, as published by the Free Software Foundation. See
 * github.com/tintinweb/pub/tree/master/pocs/nocve-2016-ethereum_mist_browser 
 * for more details. */