Code Vulnerability Alert: GitHub Tokens Easily Compromised in VS Code Security Flaw

A zero-day vulnerability in Visual Studio Code (VS Code) has been disclosed by a security researcher, allowing attackers to steal GitHub authentication tokens through a malicious link. According to Microsoft, a zero-day flaw is one that is publicly known and actively exploited without an official patch available.

The vulnerability in VS Code allows attackers to install malicious extensions that can extract GitHub OAuth tokens when users interact with github.dev, a browser-based version of VS Code for GitHub repositories. By exploiting VS Code’s webview message-passing system, attackers can run malicious JavaScript to simulate keypresses and install an extension that extracts the token, providing access to all private repositories the victim can access.

To protect themselves, VS Code users can clear cookies and local site data for github.dev in their browser settings. This action will prompt a warning when attempting to exploit the vulnerability.

The security researcher, Ammar Askar, chose to publicly disclose the bug after a negative experience with Microsoft’s security response process. They notified GitHub before disclosing the bug, citing a lack of acknowledgment from Microsoft in previous bug reports.

This disclosure follows a series of zero-day vulnerabilities in Microsoft products disclosed by an anonymous security researcher using the online handle ‘Nightmare Eclipse.’ Microsoft initially responded to these disclosures with threats of legal action but later stated they would work with law enforcement as needed.

BleepingComputer reached out to Microsoft for comment on the VS Code zero-day flaw but did not receive an immediate response.