Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,335
- Points
- 113
Researchers have discovered a way to bypass token isolation. But do Redmond plan to fix this problem?
Microsoft's popular VSCode (Visual Studio Code) code editor has discovered a vulnerability that allows malicious extensions to gain access to the authentication token store on Windows, Linux, and macOS operating systems.
These tokens are used for integration with third-party services and APIs, such as GitHub. Their theft can lead to very serious consequences for the security of the compromised organization, including unauthorized access to systems and leaks of confidential data.
The vulnerability was discovered by researchers at Cycode, who reported it to Microsoft along with a working example of exploitation. The problem is caused by VSCode's lack of isolation of authentication tokens in the "secret storage" API, which allows extensions to store tokens in the operating system.
This is done by using Keytar, a VSCode wrapper for interacting with the credential store (on Windows), keychain (on macOS), or keyring (on Linux).
Thus, any extension running in VSCode, even malicious ones, can gain access to the secret storage and abuse Keytar to retrieve stored tokens.
According to Cycode researchers, in addition to the built-in authentication of GitHub and Microsoft, all saved credentials from using third-party extensions are vulnerable.
Cycode tested the attack by creating a malicious extension to steal tokens from the popular CircleCI development platform. They were able to extract these secrets without changing the target extension's code.
The key point was that any VSCode extension is authorized to access the operating system storage, since it is run from an application that the OS has already granted such access to.
Researchers also found another problem — the "getFullKey" function retrieves secrets based on the extension ID, which is formed from its name and publisher. This allows you to trick VSCode and gain access to the tokens of another extension.
Cycode reported the problem to Microsoft two months ago, demonstrating the operation of a test extension for token theft. However, Microsoft engineers did not consider this a security risk and decided to keep the existing VSCode secret storage architecture.
Microsoft's popular VSCode (Visual Studio Code) code editor has discovered a vulnerability that allows malicious extensions to gain access to the authentication token store on Windows, Linux, and macOS operating systems.
These tokens are used for integration with third-party services and APIs, such as GitHub. Their theft can lead to very serious consequences for the security of the compromised organization, including unauthorized access to systems and leaks of confidential data.
The vulnerability was discovered by researchers at Cycode, who reported it to Microsoft along with a working example of exploitation. The problem is caused by VSCode's lack of isolation of authentication tokens in the "secret storage" API, which allows extensions to store tokens in the operating system.
This is done by using Keytar, a VSCode wrapper for interacting with the credential store (on Windows), keychain (on macOS), or keyring (on Linux).
Thus, any extension running in VSCode, even malicious ones, can gain access to the secret storage and abuse Keytar to retrieve stored tokens.
According to Cycode researchers, in addition to the built-in authentication of GitHub and Microsoft, all saved credentials from using third-party extensions are vulnerable.
Cycode tested the attack by creating a malicious extension to steal tokens from the popular CircleCI development platform. They were able to extract these secrets without changing the target extension's code.
The key point was that any VSCode extension is authorized to access the operating system storage, since it is run from an application that the OS has already granted such access to.
Researchers also found another problem — the "getFullKey" function retrieves secrets based on the extension ID, which is formed from its name and publisher. This allows you to trick VSCode and gain access to the tokens of another extension.
Cycode reported the problem to Microsoft two months ago, demonstrating the operation of a test extension for token theft. However, Microsoft engineers did not consider this a security risk and decided to keep the existing VSCode secret storage architecture.
