Vulnerability in GitHub.dev and VS Code Integration
Security researchers have uncovered a critical vulnerability in the integration between GitHub.dev and Microsoft Visual Studio Code. The flaw allows an attacker to steal a user’s GitHub OAuth token with a single click on a malicious link. The GitHub.dev feature runs a lightweight web based source code editor that relies on an OAuth token sent from github.com to github.dev. This token is not scoped to a specific repository, meaning it grants full read and write access to all repositories the victim can access, including private ones.
How the One Click Exploit Works
The attack exploits a message passing mechanism between the main VS Code window and webviews, which are used for tasks like Markdown previews or editing Jupyter notebooks. By running malicious JavaScript inside an untrusted webview, the attacker can simulate keypresses (such as Ctrl+Shift+P) to open the Command Palette. This enables the installation of an attacker controlled VS Code extension that extracts the OAuth token. The exploit also leverages a feature called local workspace extensions, which allows an extension to be installed without additional trust prompts if placed in the “.vscode/extensions” folder. This bypasses the publisher trust check, making the attack more stealthy.
Source: The Hacker News
