Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Vulnerabilities in Visual Studio Code Extensions Expose Developers to Attacks

Vulnerabilities in Visual Studio Code extensions could be exploited by malicious attackers to steal valuable information from developers and even compromise organizations, researchers with open-source software security firm Snyk say.

Vulnerabilities in Visual Studio Code extensions could be exploited by malicious attackers to steal valuable information from developers and even compromise organizations, researchers with open-source software security firm Snyk say.

Generally considered secure, VS Code extensions could expose millions of developers to malicious attacks, potentially leading to the compromise of information stored on developer machines, such as credentials, or even opening the route to further attacks.

Snyk’s security researchers analyzed popular VS Code extensions that start web servers, which are typically accessible locally via a browser, and discovered that malicious actors could exploit vulnerabilities in the web server to target the developers using these extensions. The attacks demonstrated by Snyk only require the victim to click on a link.

“By leveraging this attack scenario a malicious actor can steal important pieces of information, like RSA keys, and eventually access version control systems (VCS) or even connect to production servers and compromise the security of an entire organization,” Snyk notes.

One of the vulnerable extensions, LaTeX Workshop, which has approximately 1.2 million installs, starts an HTTP server and a WebSocket server (on a random port) when the developer opens a .tex file in the editor, to allow them to preview a PDF file in the browser.

Because the input from the WebSocket client to the openExternal VS Code API method was not sanitized, however, the extension was vulnerable to command injection exploitable by a malicious web page able to connect to the extension’s local WebSocket server (by checking all possible ports).

The Open In Default Browser extension, which starts an HTTP server to preview pages in the browser, was found to contain a path traversal bug that a malicious actor could exploit to steal files from the machine. While same-origin policy (SOP) protections would prevent exploitation, a cross-site scripting (XSS) payload could be crafted to help with the process.

Snyk also discovered that the Rainbow Fart extension (60,000 installs), which plays a sound when the user types specific keywords, contained a Zip Slip vulnerability that could be abused to overwrite arbitrary files on the target computer, and possibly achieve arbitrary code execution.

Advertisement. Scroll to continue reading.

In some cases, the vulnerable VS Code extensions could have leveraged existing NPM packages to implement the desired functionality instead of using custom code — this can help avoid introducing vulnerabilities.

“What has been clear for third-party dependencies is also now clear for IDE plugins — they introduce an inherent risk to an application. They’re potentially dangerous both because of their custom written code pieces and the dependencies they are built upon. What has been shown here for VS Code might be applicable to other IDEs as well,” Snyk concludes.

Related: Vulnerability in CocoaPods Dependency Manager Exposed Millions of Apps

Related: Library Dependencies and the Open Source Supply Chain Nightmare

Related: Software Dependencies Exposed Microsoft, Apple to High-Impact Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.