Summary
A zero-day vulnerability in Visual Studio Code allows attackers to steal GitHub OAuth tokens via a one-click exploit that simulates user keystrokes to install malicious extensions. The flaw exposes all private and public repositories accessible to the victim by abusing the editor's webview message-passing system.
Take Action:
Update VS Code and reload github.dev to get the latest patch that fixes this token-stealing flaw, since both the desktop and browser versions are affected. As an extra precaution, clear cookies and site data for github.dev so it will ask for permission again before any extension can touch your GitHub credentials.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)