Zooming way out (perhaps to the point of useless observation), it's a pity that the web embedded VSCode editor is signed into GitHub at all. Defense-in-depth or not, a huge vulnerability surface arises from that original sin. It'd be like if you had a god-permissioned GitHub API token stored in world-readable plaintext on your workstation for the malicious-NPM-package-of-the-week to find.
In a perfect world, it'd be awesome if the in-browser IDE launched with a temporary per-repo permission scope or token that allowed only pull and push to the repo in question; no github.com web session whatsoever. If you want the full GitHub web UI experience, well .... go back to github.com; make github.dev a single-repo service.
I'm assuming that's a) inconvenient for users, b) hard to implement, and c) a historical assumption baked into a lot of the github.dev tooling, though. Ah well.
That's actually exactly what they do for codespaces. The token only has read/write on the repo you activated for the codespace [1]. They should definitely consider doing that for github.dev as well.
[1] https://orca.security/resources/blog/hacking-github-codespac...
This is going to get worse and worse. I recently noticed AI harness (e.g. OpenCode) downloading random npm packages in the background and litter them everywhere in a few place in ~ and in your project dir, all without telling/asking you.
What's worse is that people don't seem to care even the devs.
It is not safe in the sense that for every extension you install, you are essentially installing a new Node.js app with all its bundled dependencies. Even if you trust the publisher, I am sure there are many holes to exploit.
Separately, I think the debate around extensions/plugins in general boils down to the same conversation about trust and isolation we have for every third-party software supplier (package managers etc.).
Options include:
1. Vetting/blessing certain extensions.
2. Serving built extensions from a central registry/artifact store with security protections
3. Having VSCode organically grow a shitty version of different operating systems' "X wants to access Y; confirm?" permissions access system (a pain in the ass to do in a cross-platform way).
4. Having VSCode somehow run extensions as separate applications according to the OS and leveraging the OS's permission system (still hard, and because it's an IDE, rather a lot of extensions will need--or request because of sloppy extension code--very broad permissions, at which point an extension is one transitive dependency update away from compromising your system).
5. Running the entire VSCode instance in some sort of container/VM/sandbox (the amount of access holes folks poke in the Snap/Flatpak VSCode instances, and the number of common issues for which "stop using the container and install VSCode directly on the system" is the recommended fix does not give me hope that this will be adopted by anyone but the most expert, patient, and paranoid users).
How about pull from the repo but only push to a staging area from which the user, but not the token, can push for real?
Frankly, LLM agents should do this too. Letting your LLM push seems foolhardy to me.
I have been thinking more and more about how I might use this pattern.
That's...exactly what the AWS CLI does.
But then someone else on the team should have to manually approve that MR to allow it to be merged to main.
This kind of defeats the ability of malware to push stuff out automatically.
Classic MSRC. It has figured out that researchers will report for free regardless. Why change?
I don’t know the specifics of this case, but I’ve managed bug bounty programs in the past through Bountysource and HackerOne. One thing that occasionally happens is that a report makes its way to the development team before the security team has fully assessed it, in this case MSRC.
At that point, a developer may decide to quietly fix the issue. Sometimes that’s driven by a concern, rational or not, that being associated with a security bug could reflect poorly on them or affect future promotion opportunities. The result is that by the time the security team attempts to reproduce the report, the vulnerability is already gone.
From MSRC’s perspective, all they see is that the provided reproduction steps no longer work. They have no visibility into the internal history of the bug or whether someone already patched it. As a result, the report gets closed as invalid even though the original finding may have been legitimate.
Aww man, if only they owned some sort of platform for tracking those, powered by some sort of program. Doesn't even have to be a smart problem, it can be, succintly, shortly, stupid. If only.
This is laziness, security absolutely could verify these steps.
I'm catching up on the infosec twitter side but it seems like it was even worse. A lot of people have the same story as me in 2023 of "they silently patch the bug and don't even credit you" which really stinks.
github token got stolen and also cloudflare tokens
guys even if you take security seriously you are going to get hit on a long enough time frame
best thing to do is segregate and control damage
trust no one, nothing, use orbstack, and always operate under the assumption that your token is going to get leaked at some point
it knocked off my entire momentum. fortunately seemed like it was just a spam bot that took my tokens and created bunch of fake spam pages and trying to mine crypto
the biggest feeling is the one of feeling violated
take care fellow travelers
> created bunch of fake spam pages and trying to mine crypto
saw a weird spam site, so damn tired went to bed thinking it was some mislick on my side
woke up next morning and loaded up my domain, it redirected and panic set in
my SEO is probably nuked even though it has been under 24 hours
I first encountered that concept with a client that put every webapp in it's own virtual server and expected the vm to get compromised at some point. Seemed like a very sensible idea 15 years ago.
wall it off and dont trust VMs either. if you have something of value they can escape it.
just pointing out what I use currently if you know something better/competitor please feel free to advertise them
Maybe it’s just my preference, but I like having a small setup where I know what is installed and what is running. With VSCode, browser IDEs, extensions, sync, tokens, and random plugins, it gets hard to tell what actually has access to what.
I wish I could add “and I never looked back”, but honestly in the past year or two Neovim started regularly breaking my setup (approximately every upgrade). Had some inklings it might happen eventually… Strictly speaking, 10 years in, nvim is yet to have its first stable version released—which means technically one can’t blame it for instability, but which is useful to keep in mind.
Considering going back to plain vim. I’m sure I will lose many niceties, but hopefully it would not require me to troubleshoot broken functionality in the middle of work.
Depending on what third party packages you use, you may sometimes get breakage there, but if you start out with a kit like doom emacs, you’ll be largely insulated from that.
There’s also always newer stuff like zed, which looks pretty great and is very snappy in my limited testing.
https://doublepulsar.com/microsofts-stance-on-zero-day-explo...
Someone is going to be blacklisted by Microsoft.
Percolating...
Ban all vulnerability researchers
I have no interest in selling these vulnerabilities or sitting on them. At the same time, it feels really bad to have a vendor disrespect the hours it can take to make a proof-of-concept by just patching it silently and not crediting you or acknowledging it.
Even with network monitoring, exfil to Github itself can be very hard to stop unless you SSL intercept and have very strict URL allow lists.
Best is to move away from Github, move to self hosted internal Gitlab/Forgejo and block Github completely.
The author said:
You cannot just use the shortcut trick to install the evil extension directly because of new publisher trust system;
You can bypass this by using local workspace extensions which has no publisher screening, but CSP blocks it;
The solution seems to be that installing a local workspace extension which binds a shortcut of 'install extension without checking publisher'.
So I assume it means:
1. you need two extensions, 1st one is local and only for the keybinding, and 2nd one is the 'real' evil one and it doesn't need to (actually can't, because of CSP) be local anymore?
2. the CSP only prevents the JS in local extension but nothing about its package.json (or the ability to add shortcuts), right?
We can try to just put a `my-extension/extension.js` for the most direct execution but the CSP blocks that. It's only a script-src CSP blocking it though, so fetching the package.json is still kosher. So we end up using it to contribute a keybinding instead.
It's so refreshing to read technical articles that are clearly written by a knowledgeable human and explained perfectly like this. By walking the reader through this with the example screenshots it unfolds and gets more interesting as you continue reading.
It's also strange to realize that these days, most articles are not like this.
Like, disclose it, wait a week, publish it. That seems, to me, like it would avoid almost all the bad press this is getting, and shows that the researcher DOES care about actual security and not just recognition from MSFT.
That's probably one of the fastest responses I've seen from a vendor.
There are probably better sources but I think this video by The Primeagen is a good introduction.
Small nitpick, but it's also possible to communicate by changing the location.anchor property (by either the iframe or its parent window.)
Github creds or the computer, can't decide which one is worse.
Very cool.