VS Code Zero-Day Vulnerability
A security researcher, Ammar Askar, has released exploit code for a Visual Studio Code (VS Code) zero-day vulnerability that allows attackers to steal GitHub authentication tokens by tricking users into clicking a link. This vulnerability exploits VS Code's sandboxed webview message-passing system, allowing attackers to install malicious extensions that steal GitHub OAuth tokens when they are passed to github.dev.
Exploit Details
The proof-of-concept exploit abuses this system by running malicious JavaScript inside a webview to simulate keypresses in the main editor and install an extension that extracts the GitHub OAuth token sent to github.dev and queries the GitHub API to enumerate all private repositories the victim can access. According to Askar,
This functionality is achieved by github.com POSTing over an OAuth token to github.dev that allows it to interact with GitHub on your behalf. The token is not scoped to the particular repo you interacted with, meaning it has full access to every other repo that you have access to.
Protection and Disclosure
While the vulnerability is not yet patched and has not yet been assigned a CVE ID, VS Code users can protect themselves by clearing cookies and local site data for github.dev in their browser. Askar notified GitHub one hour before disclosing the bug and chose immediate public disclosure due to a prior negative experience with Microsoft's security response process.
Askar stated that
That was mostly a courtesy to GitHub, the intent here was full public disclosure. In my past experience reporting github.dev bugs to them, they tell you that it's out of scope and go report it to MSRC. And as I outlined in the article, I really don't want to deal with MSRC on VSCode bugs.This follows another stream of zero-days in various Microsoft products disclosed by an anonymous security researcher using the 'Nightmare Eclipse' online handle.
Microsoft Response
Microsoft reacted to the disclosure with a statement,
We value the critical role that the security research community plays in strengthening the security of our products, services, and the broader technology ecosystem. While independent researchers determine when and how to publish their findings, we remain committed to rapidly assessing reported issues, mobilizing the appropriate engineering and security response resources, and delivering mitigations, guidance, and protections as quickly as possible to help safeguard our customers.
The incident highlights the importance of responsible disclosure and the need for effective communication between security researchers and vendors. As the threat landscape continues to evolve, it is essential for organizations to stay vigilant and take proactive measures to protect themselves against zero-day exploits.
- Clear cookies and local site data for github.dev in your browser to protect yourself against this vulnerability.
- Stay informed about the latest security updates and patches for VS Code and other Microsoft products.
- Implement robust security measures, such as breach and attack simulation, to test your defenses and identify potential weaknesses.
Conclusion
The VS Code zero-day vulnerability is a significant concern for users, as it allows attackers to steal sensitive GitHub authentication tokens. By understanding the exploit details and taking proactive measures to protect themselves, users can reduce the risk of falling victim to this vulnerability. As the security landscape continues to evolve, it is essential for organizations to prioritize responsible disclosure, effective communication, and robust security measures to stay ahead of emerging threats.
Source: BleepingComputer