A security researcher has disclosed details of a severe Visual Studio Code (VS Code) vulnerability that can be exploited to steal a user’s GitHub token and access their repositories.
The vulnerability in Microsoft’s popular code editor was discovered by Ammar Askar, who decided to make the technical details and a PoC exploit public without notifying the tech giant in advance.
The researcher described a previous “horrible experience” when reporting a VS Code vulnerability, which Microsoft patched silently without giving him any credit.
Askar made his new findings public on June 2, one hour after giving a heads-up to someone on the security team of GitHub, which Microsoft owns.
While the vulnerability was disclosed as a zero-day, Microsoft rolled out a fix on June 3.
