VS Code zero-day lets hackers steal GitHub tokens in one click

A security researcher has released exploit code for a Visual Studio Code (VS Code) zero-day vulnerability that allows attackers to steal GitHub authentication tokens by tricking users into clicking a link.

Microsoft classifies a software flaw as a zero-day if it is publicly disclosed and/or actively exploited with no official patch currently available.

As researcher Ammar Askar explained in a blog post on Tuesday, this VS Code vulnerability allows attackers to install malicious extensions that steal GitHub OAuth tokens when they are passed to github.dev (a browser-based version of Visual Studio Code used to work on GitHub repositories) by exploiting VS Code's sandboxed webview message-passing system.

The proof-of-concept exploit he also released on Tuesday abuses this system by running malicious JavaScript inside a webview to simulate keypresses in the main editor and install an extension that extracts the GitHub OAuth token sent to github.dev and queries the GitHub API to enumerate all private repositories the victim can access.

"This functionality is achieved by github.com POSTing over an OAuth token to github.dev that allows it to interact with GitHub on your behalf," Askar said. "The token is not scoped to the particular repo you interacted with, meaning it has full access to every other repo that you have access to."