A security researcher has released proof-of-concept exploit code for a VS Code zero-day that can steal GitHub OAuth tokens by luring users into clicking a malicious link. The flaw can be abused through github.dev to install a malicious extension and enumerate private repositories accessible to the victim. #VisualStudioCode #githubdev #GitHubOAuthTokens #AmmarAskar
Keypoints
- A VS Code zero-day can steal GitHub OAuth tokens through a malicious link.
- The flaw abuses the sandboxed webview message-passing system in github.dev.
- Exploit code installs a malicious extension inside the editor session.
- The stolen token can be used to list private repositories the victim can access.
- Users can reduce risk by clearing cookies and on-device site data for github.dev.