A severe Visual Studio Code vulnerability can let attackers steal a user’s GitHub token by luring them into opening a specially crafted Jupyter notebook on github.dev. Microsoft released a fix on June 3 after the zero-day disclosure, while the issue also affects the desktop version of VS Code with the potential for remote code execution. #VisualStudioCode #GitHub #githubdev
Keypoints
- Ammar Askar disclosed a severe VS Code vulnerability publicly.
- The flaw can steal GitHub tokens through a malicious Jupyter notebook.
- Opening the notebook on github.dev can trigger hidden code to install a malicious extension.
- The stolen token can grant access to private repositories.
- The desktop version of VS Code may also be vulnerable and can lead to remote code execution.
Read More: https://www.securityweek.com/vs-code-vulnerability-allows-one-click-github-token-theft/