VSCode Bug Enables 1-Click GitHub Token Theft
Original: 1-Click GitHub Token Stealing via a VSCode Bug
Why This Matters
Highlights critical security risks in popular development tools and OAuth implementations
Security researcher discovered vulnerability in VSCode's webview implementation that allows attackers to steal GitHub tokens with read/write access to repositories through malicious links. Bug exploits cross-origin messaging in github.dev.
Researcher Ammar Askar revealed a critical VSCode vulnerability enabling GitHub token theft via malicious links. The bug targets github.dev, GitHub's browser-based VSCode instance that receives OAuth tokens with full repository access. VSCode uses webviews with iframe sandboxing for security, isolating content in vscode-webview:// origins from the main vscode-file:// window. Cross-origin communication relies on Window.postMessage() API. The vulnerability exploits this messaging system, allowing attackers to craft malicious links that, when clicked, can exfiltrate GitHub tokens with read/write permissions to all accessible repositories, including private ones. The tokens are not scoped to specific repositories, granting broad access across user accounts.