A security researcher has released exploit code for a Visual Studio Code zero-day that can steal GitHub OAuth authentication tokens. The attack works by tricking users into clicking a link, installing a malicious extension through VS Code’s github.dev webview
The moment a user clicks a link in the wrong context, the damage can be immediate. A security researcher says a Visual Studio Code zero-day flaw can be used to steal GitHub authentication tokens—without a patched fix available—and the exploit is designed to happen through a simple click.
On Tuesday, the researcher Ammar Askar published a proof-of-concept for the Visual Studio Code vulnerability. Microsoft classifies a software flaw as a zero-day if it is publicly disclosed and/or actively exploited with no official patch currently available.
Askar’s explanation pins the problem on github.dev. the browser-based version of Visual Studio Code used to work on GitHub repositories. He says the vulnerability lets attackers install malicious extensions that steal GitHub OAuth tokens when those tokens are passed to github.dev by exploiting VS Code’s sandboxed webview message-passing system.
In his proof-of-concept, malicious JavaScript runs inside a webview. It then simulates keypresses in the main editor so an extension can be installed. That extension extracts the GitHub OAuth token sent to github.dev. and it queries the GitHub API to enumerate all private repositories the victim can access.
“This functionality is achieved by github.com POSTing over an OAuth token to github.dev that allows it to interact with GitHub on your behalf,” Askar wrote. “The token is not scoped to the particular repo you interacted with, meaning it has full access to every other repo that you have access to.”
The lack of limits on that token is the detail that makes the exploit dangerous in practice. One interaction can become a broad inventory of what the victim is able to access across GitHub.
The vulnerability has not yet been patched and has not been assigned a CVE ID. Even so. Askar says users can protect themselves by clearing cookies and local site data for github.dev in their browser. The steps he recommends begin by clicking the Settings icon in the URL bar. then going into Cookies and site data > Manage on-device site data.
With that data cleared, Askar says users should see a “The extension ‘GitHub Repositories’ wants to sign in using GitHub.” warning when clicking on links attempting to exploit the flaw.
Askar also described how the disclosure unfolded. He said he notified GitHub one hour before disclosing the bug and argued that he chose immediate public disclosure after a prior negative experience with Microsoft’s security response process. In that earlier case. he says a previously reported VS Code bug was silently fixed without credit or acknowledgment of the security impact.
“That was mostly a courtesy to GitHub, the intent here was full public disclosure. In my past experience reporting github.dev bugs to them. they tell you that it’s out of scope and go report it to MSRC. And as I outlined in the article, I really don’t want to deal with MSRC on VSCode bugs,” Askar said.
He added: “To summarize the last time I interacted with MSRC regarding reporting a VSCode bug. it was a horrible experience where they silently fixed ‘the bug I pointed out without any credit. They also marked it as not having any security impact.’” He then said: “As I mentioned in that post. going forward I would be doing full public disclosure for any security bugs I found in VSCode.”.
The VS Code flaw is part of a broader set of reported zero-days tied to a separate stream of disclosures by an anonymous researcher using the ‘Nightmare Eclipse’ online handle. Over the past several months. Nightmare Eclipse disclosed BlueHammer. RedSun. GreenPlasma. and MiniPlasma privilege escalation zero-day flaws (with the first two now being exploited in attacks). YellowKey. a Windows BitLocker zero-day that grants access to protected drives. and UnDefend. another zero-day that can be exploited to block Microsoft Defender definition updates.
Microsoft’s response to Nightmare Eclipse’s zero-day leaks began with threats of legal action, and was followed by a tweet saying it would work “with law enforcement as appropriate” when “an individual breaks the law and engages in malicious activity causing real harm to our customers.”
BleepingComputer reached out to Microsoft for a comment on Askar’s VS Code zero-day, but a response was not immediately available.
Right now. the threat hinges on timing and user behavior—click a malicious link. and the exploit code Askar released is built to turn a token meant for github.dev into access across repositories. And with no official patch yet, the defense depends on a browser-side reset and heightened attention to sign-in warnings.
VS Code zero-day github.dev GitHub OAuth tokens malicious extensions webview message passing exploit code cybersecurity