Bug Hunter Leaks Visual Studio Code Exploit Amid Disclosure Disputes
A security researcher has publicly released a proof-of-concept exploit for a Visual Studio Code vulnerability, citing dissatisfaction with Microsoft's handling of vulnerability disclosures.
Ammar Askar, a security researcher, has publicly released a proof-of-concept (PoC) exploit for a critical vulnerability in Microsoft's Visual Studio Code (VS Code) after experiencing what he described as a "horrible experience" with Microsoft's Security Response Center (MSRC) in the past.
Askar's decision to bypass traditional responsible disclosure channels stems from previous encounters where MSRC allegedly fixed a reported VS Code bug without credit and dismissed its security impact. This new disclosure follows a pattern of researchers expressing frustration with Microsoft's vulnerability management processes, particularly concerning VS Code.
The vulnerability allows attackers to steal OAuth tokens by crafting malicious VS Code extensions. These extensions can be pushed to users via the Workspace Recommendations feature when a user opens a specially crafted repository in the browser-based github.dev environment. The stolen tokens grant attackers access to any public or private GitHub repositories the victim has access to, including those accessible via github.dev.
Exploitation requires an attacker to modify a repository's .vscode/extensions.json file to recommend a malicious extension. While normally a user prompt would appear to approve the extension installation, this exploit cleverly bypasses it. The attacker tricks the user into opening a Jupyter Notebook file within their repository via a github.dev link. This notebook contains a hidden HTML snippet that executes JavaScript, simulating a keyboard shortcut to automatically accept the extension installation.
Once the malicious extension is installed, it operates within the browser environment and proceeds to steal the user's OAuth token. This token is not restricted to the specific repository that initiated the github.dev session, meaning it can be used to access any other repository the victim has permissions for, posing a significant risk to sensitive code and data.
Askar stated that his decision to perform a full public disclosure was influenced by past negative interactions with MSRC and a recent report by Starlabs highlighting similar dismissals of VS Code bugs. He acknowledged that the VS Code team might have preferred more heads-up time but emphasized that this approach is one of the few levers researchers have to influence MSRC and improve VS Code's security posture.
This incident echoes the actions of another researcher, known as Nightmare Eclipse, who has recently gained notoriety for leaking multiple zero-day exploits for Windows vulnerabilities without prior notification to Microsoft. While Nightmare Eclipse's motivations remain somewhat vague, involving alleged betrayals and personal hardship, their actions have also drawn attention to the growing tension between security researchers and vendors over disclosure practices.
Askar's disclosure highlights a broader trend of researcher dissatisfaction with vendor vulnerability handling, potentially leading to more public leaks and a race against time for vendors to patch vulnerabilities once they are exposed. The incident underscores the importance of robust and transparent vulnerability disclosure programs for maintaining trust and security in the software ecosystem.