VS Code Zero-Day Exposes GitHub Tokens to Theft via Malicious Links

Summary

A security researcher has disclosed an unpatched zero-day vulnerability in Visual Studio Code (VS Code) that enables attackers to steal GitHub OAuth tokens through a single click. This exploit takes advantage of VS Code's webview message-passing system, allowing malicious scripts to simulate keypresses and install unauthorized extensions. The stolen tokens grant access to all repositories the victim can interact with, including private ones. Users are advised to clear cookies for github.dev as an immediate protective measure.

What Happened

A security researcher named Ammar Askar revealed a zero-day vulnerability in Visual Studio Code (VS Code) that allows attackers to steal GitHub OAuth tokens by tricking users into clicking a malicious link. This exploit targets VS Code's sandboxed webview message-passing system, which is designed to facilitate communication between the main editor and embedded webviews.

The vulnerability arises from the way VS Code handles keydown events within its webviews. Normally, these events are used to enable keyboard shortcuts even when the user is focused on a webview. However, this mechanism can be abused by malicious scripts running inside a compromised webview to simulate keystrokes and execute commands as if they were entered by the user.

How the Attack Works

The attack begins with an attacker crafting a link that directs the victim to a compromised version of github.dev, which is a browser-based interface for working on GitHub repositories. When the victim clicks the link, the malicious script within the webview simulates keypresses to open the command palette in VS Code.

Using this method, the attacker can execute commands such as installing an unauthorized extension. This extension is designed to extract the user's GitHub OAuth token and query the GitHub API for a list of all accessible repositories. The token has full access to any repository the victim can interact with, making it a significant security risk.

Technical Details

The core of this vulnerability lies in VS Code's handling of keydown events within its webviews. By default, these events are captured and relayed to the main editor window to ensure that keyboard shortcuts remain functional even when the user is focused on a webview. However, this feature can be exploited by malicious scripts to simulate user input.

The exploit involves sending a series of keydown events from within the webview to trigger VS Code's command palette. Once open, the attacker can use pre-defined keyboard shortcuts to install an extension that captures the GitHub OAuth token. This token is then used to access private repositories and other sensitive information on GitHub.

Proof of Concept

A proof-of-concept for this vulnerability has been released by Ammar Askar. The exploit code demonstrates how malicious JavaScript running inside a webview can simulate keypresses to install an extension that steals the user's GitHub OAuth token. A working proof-of-concept is published at https://github.com/ammaraskar/github-dev-token-steal-poc.

Defender Guidance

Until a patch is released, VS Code users can protect themselves by clearing cookies and local site data for github.dev. This action will prompt a warning when attempting to exploit the flaw, allowing users to avoid inadvertently granting access to their GitHub tokens. To clear these settings:

1. Click the Settings icon in the URL bar.
2. Navigate to Cookies and site data > Manage on-device site data.
3. Clear cookies and local storage for github.dev.

Additionally, users should be cautious about clicking links that direct them to github.dev and verify the authenticity of any extensions they install within VS Code.

What Remains Unclear

While the vulnerability has been disclosed and a proof-of-concept is available, several details remain unclear:

• The exact timeline for Microsoft's patch release.
• Whether other similar vulnerabilities exist in VS Code or related products.
• The extent to which attackers have already exploited this zero-day vulnerability.

These uncertainties highlight the importance of vigilance and proactive security measures until an official fix is deployed.