A security researcher has disclosed details of a severe Visual Studio Code (VS Code) vulnerability that can be exploited to steal a user’s GitHub token and access their repositories.
The vulnerability in Microsoft’s popular code editor was discovered by Ammar Askar, who decided to make the technical details and a PoC exploit public without notifying the tech giant in advance.
The researcher described a previous “horrible experience” when reporting a VS Code vulnerability, which Microsoft patched silently without giving him any credit.
Askar made his new findings public on June 2, one hour after giving a heads-up to someone on the security team of GitHub, which Microsoft owns.
While the vulnerability was disclosed as a zero-day, Microsoft rolled out a fix on June 3.
Exploitation of this one-click security hole involves an attacker creating a specially crafted Jupyter notebook. When someone opens it on github.dev, a lightweight version of VS Code that runs entirely in the web browser, hidden code inside the notebook simulates keystrokes to install a malicious extension.
This extension then quietly steals the victim’s GitHub access token and sends it to the attacker. The stolen token grants the attacker full read and write access to all repositories the victim can access, including private ones.
The user clicking on a link pointing to the malicious notebook is the only requirement to trigger the attack.
The victim is notified that the extension wants access, but only if github.dev was never used in the past.
The attack also works against the desktop version of VS Code, but it is not as easy to carry out as it requires additional interaction from the victim. On the other hand, this attack can lead to remote code execution on the victim’s device. The desktop version appears to remain unpatched.
SecurityWeek has contacted Microsoft for comment and will update this article if the company responds.
This is not the first time a researcher has disclosed a Microsoft product vulnerability in recent weeks without notifying the vendor and giving it time to release a patch.
A researcher known online as Chaotic Eclipse and Nightmare Eclipse made public PoC exploits for several zero-days following a disagreement with Microsoft during a vulnerability disclosure process.
The list includes the vulnerabilities dubbed RedSun, UnDefend, BlueHammer, YellowKey, MiniPlasma, and GreenPlasma, some of which have been exploited in the wild.
Microsoft responded with threats of legal action against researchers who dump zero-days, but later tried to calm concerns amid backlash from the cybersecurity community.
Related: North Korean Hackers Target macOS Developers via Malicious VS Code Projects
Related: From Trivy to Broad OSS Compromise: TeamPCP Hits Docker Hub, VS Code, PyPI
Related: VS Code Configs Expose GitHub Codespaces to Attacks
