1-Click GitHub Token Stealing via a VSCode Bug
15 hours ago
- #VSCode Vulnerability
- #GitHub Token Theft
- #Webview Security
- A vulnerability in VSCode webviews allows attackers to steal GitHub tokens by simulating keyboard events to install malicious extensions.
- The attack exploits the 'did-keydown' event handler in webviews, which forwards keydown events from untrusted content to the main VSCode window.
- Attackers can use JavaScript in a Jupyter notebook to trigger keybindings, such as Ctrl+Shift+A to accept notifications and Ctrl+F1 to install extensions.
- The vulnerability affects both github.dev and desktop VSCode, with github.dev being more exploitable via direct links.
- Protection measures include clearing github.dev site data, but users who have previously accessed it without clearing data are at risk.
- VSCode's security measures, like Content Security Policy and DOMPurify, limit other attack vectors but not this specific issue.
- Full disclosure was chosen due to past negative experiences with MSRC and to encourage better security practices.