| ▲ | 1-Click GitHub Token Stealing via a VSCode Bug(blog.ammaraskar.com) |
| 257 points by ammar2 15 hours ago | 33 comments |
| |
|
| ▲ | zbentley 3 hours ago | parent | next [-] |
| This is a very good writeup. Zooming way out (perhaps to the point of useless observation), it's a pity that the web embedded VSCode editor is signed into GitHub at all. Defense-in-depth or not, a huge vulnerability surface arises from that original sin. It'd be like if you had a god-permissioned GitHub API token stored in world-readable plaintext on your workstation for the malicious-NPM-package-of-the-week to find. In a perfect world, it'd be awesome if the in-browser IDE launched with a temporary per-repo permission scope or token that allowed only pull and push to the repo in question; no github.com web session whatsoever. If you want the full GitHub web UI experience, well .... go back to github.com; make github.dev a single-repo service. I'm assuming that's a) inconvenient for users, b) hard to implement, and c) a historical assumption baked into a lot of the github.dev tooling, though. Ah well. |
| |
| ▲ | ammar2 3 hours ago | parent | next [-] | | > it'd be awesome if the in-browser IDE launched with a temporary per-repo permission scope That's actually exactly what they do for codespaces. The token only has read/write on the repo you activated for the codespace [1]. They should definitely consider doing that for github.dev as well. [1] https://orca.security/resources/blog/hacking-github-codespac... | |
| ▲ | amluto 2 hours ago | parent | prev | next [-] | | > temporary per-repo permission scope or token that allowed only pull and push to the repo in question How about pull from the repo but only push to a staging area from which the user, but not the token, can push for real? Frankly, LLM agents should do this too. Letting your LLM push seems foolhardy to me. | | |
| ▲ | namibj 25 minutes ago | parent | next [-] | | Jules is heavily restricted in what it can do to your repos. | |
| ▲ | alostpuppy 44 minutes ago | parent | prev | next [-] | | Exe.dev has an integrations feature which is similar allowing you to grant access to specific repos without having give the VMs credentials. I think it’s a similar pattern to iron.sh. I have been thinking more and more about how I might use this pattern. | |
| ▲ | moi2388 an hour ago | parent | prev [-] | | That makes so much more sense. |
| |
| ▲ | owl57 3 hours ago | parent | prev [-] | | If the malicious-npm-package-of-the-week is reading arbitrary files on your workstation, isn't it usually able to run git clone/push/whatever with your current credentials anyway? | | |
| ▲ | digi59404 3 hours ago | parent | next [-] | | Yes, but also no. For example in GitLab a user who’s infected could push code to a branch. Then it could even make a merge request to pull that branch into main (if main is protected). But then someone else on the team should have to manually approve that MR to allow it to be merged to main. This kind of defeats the ability of malware to push stuff out automatically. | |
| ▲ | ikiris 2 hours ago | parent | prev [-] | | Not if they're touch required in a secure enclave like a yubikey |
|
|
|
| ▲ | zuzululu 2 hours ago | parent | prev | next [-] |
| I had this happen to me recently github token got stolen and also cloudflare tokens guys even if you take security seriously you are going to get hit on a long enough time frame best thing to do is segregate and control damage trust no one, nothing, use orbstack, and always operate under the assumption that your token is going to get leaked at some point it knocked off my entire momentum. fortunately seemed like it was just a spam bot that took my tokens and created bunch of fake spam pages and trying to mine crypto the biggest feeling is the one of feeling violated take care fellow travelers |
| |
| ▲ | pjot an hour ago | parent [-] | | > created bunch of fake spam pages and trying to mine crypto
Pages like GitHub pages? We’re repos being created in your account? Curious how you discovered that your tokens were pwned | | |
| ▲ | zuzululu 36 minutes ago | parent [-] | | repos created, cloudflare eployed thee websites, edited dns saw a weird spam site, so damn tired went to bed thinking it was some mislick on my side woke up next morning and loaded up my domain, it redirected and panic set in my SEO is probably nuked even though it has been under 24 hours |
|
|
|
| ▲ | NagatoYuzuru 3 hours ago | parent | prev | next [-] |
| > the last time I interacted with MSRC regarding reporting a VSCode bug, it was a horrible experience where they silently fixed the bug Classic MSRC. It has figured out that researchers will report for free regardless. Why change? |
| |
| ▲ | guessmyname 2 hours ago | parent | next [-] | | MSRC doesn’t fix bugs. I don’t know the specifics of this case, but I’ve managed bug bounty programs in the past through Bountysource and HackerOne. One thing that occasionally happens is that a report makes its way to the development team before the security team has fully assessed it, in this case MSRC. At that point, a developer may decide to quietly fix the issue. Sometimes that’s driven by a concern, rational or not, that being associated with a security bug could reflect poorly on them or affect future promotion opportunities. The result is that by the time the security team attempts to reproduce the report, the vulnerability is already gone. From MSRC’s perspective, all they see is that the provided reproduction steps no longer work. They have no visibility into the internal history of the bug or whether someone already patched it. As a result, the report gets closed as invalid even though the original finding may have been legitimate. | | |
| ▲ | anonbanana an hour ago | parent | next [-] | | That makes sense but doesn't excuse the behavior. Just because there is poor communication within Microsoft doesn't make it okay to silently patch a vulnerability. Also, looking at the timeline on OP's post from 2023 it seems they patched it and closed the bug on the same day which is a little sus . | |
| ▲ | moi2388 an hour ago | parent | prev [-] | | Nonsense. As if there are no versions for their software releases. This is laziness, security absolutely could verify these steps. |
| |
| ▲ | natpalmer1776 3 hours ago | parent | prev [-] | | It was the status quo for a long time, then the pesky security researchers started asking for compensation instead of clout. | | |
| ▲ | ammar2 3 hours ago | parent | next [-] | | > instead of clout I'm catching up on the infosec twitter side but it seems like it was even worse. A lot of people have the same story as me in 2023 of "they silently patch the bug and don't even credit you" which really stinks. | | |
| ▲ | natpalmer1776 3 hours ago | parent [-] | | It definitely reminds me of the stereotypes of big business types stepping on the little guys to climb the ladder. I hope you get credit where credit is due in future endeavors. |
| |
| ▲ | opello 2 hours ago | parent | prev [-] | | Do it for the exposure! Artists of many stripes have had to combat that for ages. |
|
|
|
| ▲ | Noumenon72 3 hours ago | parent | prev | next [-] |
| Thank you for essentially donating the time you spent on this exploit to raise awareness on improving VS Code's security response. You could have just given up on them but you're still trying to help. |
| |
| ▲ | ammar2 2 hours ago | parent [-] | | Thank you, that's a very kind comment. I have no interest in selling these vulnerabilities or sitting on them. At the same time, it feels really bad to have a vendor disrespect the hours it can take to make a proof-of-concept by just patching it silently and not crediting you or acknowledging it. |
|
|
| ▲ | thrdbndndn 2 hours ago | parent | prev | next [-] |
| Very good write up but I lost it a little at the end. Could someone clarify for me? The author said: You cannot just use the shortcut trick to install the evil extension directly because of new publisher trust system; You can bypass this by using local workspace extensions which has no publisher screening, but CSP blocks it; The solution seems to be that installing a local workspace extension which binds a shortcut of 'install extension without checking publisher'. So I assume it means: 1. you need two extensions, 1st one is local and only for the keybinding, and 2nd one is the 'real' evil one and it doesn't need to (actually can't, because of CSP) be local anymore? 2. the CSP only prevents the JS in local extension but nothing about its package.json (or the ability to add shortcuts), right? |
| |
| ▲ | ammar2 2 hours ago | parent [-] | | 1 and 2 are correct, take a look at the PoC repo here: https://github.com/ammaraskar/github-dev-token-steal-poc/tre... We can try to just put a `my-extension/extension.js` for the most direct execution but the CSP blocks that. It's only a script-src CSP blocking it though, so fetching the package.json is still kosher. So we end up using it to contribute a keybinding instead. |
|
|
| ▲ | pier25 3 hours ago | parent | prev | next [-] |
| The MSRC situation is really unbelievable. There are probably better sources but I think this video by The Primeagen is a good introduction. https://www.youtube.com/watch?v=9kxx5xp5nTQ |
|
| ▲ | october8140 3 hours ago | parent | prev | next [-] |
| If you like VSCode but don't like Microsoft, try Zed (zed.dev). |
| |
| ▲ | Quothling an hour ago | parent | next [-] | | I heard that Zed came with a lot of integrated AI and team sharing features that phone home, so that's an issue for anyone working with stuff like NIS2 compliance. Not that VSCode isn't a compliance nightmare as well. | |
| ▲ | ZeroCool2u 2 hours ago | parent | prev | next [-] | | Zed is excellent. I know it's weird, but the last thing holding me back is being able to have a browser based Zed session the same as VSCode. | |
| ▲ | dddw an hour ago | parent | prev [-] | | If you like vs. but not M$. Use VsCodium. I did, but now preffer zed, which replaced my use of vscodium and sublimetext in 1 swoop. |
|
|
| ▲ | antimony51 2 hours ago | parent | prev | next [-] |
| > if you had some other XSS in a webview that you can get a victim to open, you get effectively full RCE on their computer. Github creds or the computer, can't decide which one is worse. |
|
| ▲ | fg137 3 hours ago | parent | prev | next [-] |
| > To those folks, I am sorry, but this is one of the few levers I have to try to influence MSRC and the security posture of VSCode Someone is going to be blacklisted by Microsoft. |
| |
| ▲ | ares623 an hour ago | parent [-] | | "Oh great Mythos, how do I remove all vulnerabilities from my products?" Percolating... Ban all vulnerability researchers |
|
|
| ▲ | selectively an hour ago | parent | prev [-] |
| Very unethical behavior combined by very bad security posture from the vendor. Bad. |
