news.volyx.in

1-Click GitHub Token Stealing via a VSCode Bug (blog.ammaraskar.com)

660 points by ammar2 · 41 days ago · 101 comments on HN

Article summary

A security researcher discovered a vulnerability in VSCode that allows an attacker to steal a GitHub token by exploiting a bug in the webview security model. The bug enables an attacker to simulate keyboard events, which can be used to install a malicious extension and gain access to the victim's GitHub account. The researcher reported the issue to Microsoft, but due to a previous negative experience with the company's security response, they decided to disclose the vulnerability publicly. The vulnerability exists in both the desktop and web versions of VSCode.

Main themes

  • VSCode security vulnerability
  • GitHub token theft
  • Webview security model
  • Microsoft security response
  • Responsible disclosure

What commenters say

  • The researcher's decision to disclose the vulnerability publicly was justified due to Microsoft's poor handling of previous security reports.
  • Microsoft's security response is inadequate, and the company should prioritize transparency and credit researchers for their discoveries.
  • The vulnerability highlights the need for better security measures in VSCode, such as scoped permissions and improved webview security.
  • The use of temporary per-repo permission scopes or tokens could mitigate similar vulnerabilities in the future.
  • Some commenters argue that the researcher's actions were irresponsible and that they should have followed traditional reporting channels.
  • Others believe that Microsoft's behavior is a classic example of a company prioritizing its own interests over security and researcher recognition.
  • The debate surrounding the vulnerability and disclosure also touches on the broader issue of security researcher compensation and recognition.
  • Some commenters suggest that the vulnerability is a symptom of a larger problem with the design of VSCode extensions and their potential for exploitation.