HN
Today

1-Click GitHub Token Stealing via a VSCode Bug

A security researcher uncovered a 1-click GitHub token stealing vulnerability within VSCode's browser-based editor, github.dev, exploiting a convoluted chain of keyboard event bubbling and extension mechanisms. The detailed write-up meticulously breaks down how a simple link click can lead to full read/write access to all your GitHub repositories. This story resonated strongly on HN due to its technical brilliance and the author's pointed critique of Microsoft's security disclosure practices.

257
Score
33
Comments
#1
Highest Rank
14h
on Front Page
First Seen
Jun 3, 3:00 AM
Last Seen
Jun 3, 4:00 PM
Rank Over Time
211111124586710

The Lowdown

Security researcher Ammar Askar unveiled a critical 1-click vulnerability in github.dev, the browser-based version of VSCode. This exploit allows an attacker to steal a user's GitHub token, granting full read/write access to all their public and private repositories, simply by clicking a malicious link.

  • The github.dev editor, accessed by changing github.com to github.dev in a repo URL, provides a full-featured VSCode experience in the browser. Crucially, it receives a broadly-scoped OAuth token from github.com that grants access to all user repositories.
  • VSCode webviews, used for rendering content like Markdown or Jupyter notebooks, are typically isolated in cross-origin iframes, communicating with the main application via Window.postMessage().
  • The core vulnerability lies in how VSCode handles keyboard events: webviews are allowed to bubble up keydown events to the main VSCode window, ensuring basic functionality like command palette (Ctrl+Shift+P) works inside them.
  • The exploit chain abuses this: attacker-controlled JavaScript in a webview (e.g., from a Jupyter notebook) simulates keystrokes.
    • First, it triggers Ctrl+Shift+A to accept a notification prompting installation of a "recommended" local workspace extension.
    • Local workspace extensions are exempt from new publisher trust checks in trusted workspaces (which github.dev is).
    • While Content Security Policy (CSP) prevents running JavaScript directly from a local extension in the web version, its package.json can still contribute custom keybindings.
    • A custom keybinding (e.g., Ctrl+F1) is then defined in the local extension's package.json to call the workbench.extensions.installExtension command with skipPublisherTrust: true, thereby installing the actual malicious extension from the marketplace.
  • The proof-of-concept demonstrates this by installing an extension that fetches and displays the user's GitHub token and private repository list.
  • Self-protection involves clearing github.dev site data to force re-authentication, allowing users to decline token provisioning. Once provisioned, no further dialogs protect the user.
  • The author notes that VSCode's good security practices like strict CSP and DOMPurify still prevent many easier XSS exploits.
  • The full public disclosure was a deliberate choice due to past negative experiences with Microsoft Security Response Center (MSRC), where previous bugs were allegedly silently fixed without credit or recognition of severity.

This exploit highlights the subtle complexities of security in modern web applications, where multiple seemingly minor features can be chained into a critical vulnerability. It also brings to light the ethical challenges faced by security researchers dealing with corporate security response teams.

The Gossip

MSRC's Murky Maneuvers

Discussion revolves around Microsoft Security Response Center's alleged practice of silently patching bugs without credit and downplaying their severity, leading the author to full public disclosure. Commenters largely empathize with the author's frustration, with some speculating it could lead to blacklisting, while others highlight the importance of researchers being properly acknowledged for their work. The sentiment is generally critical of MSRC's approach, seen as disrespectful to security researchers' efforts.

Token Transparency & Tightening

Many users express concern over the broad, un-scoped GitHub OAuth token used by `github.dev`, which grants read/write access to all repositories. Suggestions include implementing per-repo or temporary tokens, similar to GitHub Codespaces, to minimize the blast radius of such vulnerabilities. There's a general consensus on the need for defense-in-depth, assuming eventual compromise, and advice on segregating resources and controlling damage, with one commenter sharing their own experience of a GitHub token compromise.

Exploit Explanation Elucidation

A few commenters sought clarification on the complex exploit chain, specifically how the author bypassed the publisher trust system and Content Security Policy (CSP) issues to install the malicious extension. The author provided a helpful breakdown, explaining the ingenious use of a local workspace extension's `package.json` to define a keybinding that then triggers the installation of the "real" malicious extension, neatly sidestepping CSP restrictions on local extension JavaScript execution.

Alternative Appraisals

Some discussions touched upon alternative IDEs like Zed and VsCodium, suggesting them as options for users who appreciate VSCode's functionality but have reservations about Microsoft or seek different features. Users praised Zed for its speed and consolidated functionality, though some noted its potential for integrated AI and team-sharing features that might pose compliance concerns.