VS Code’s Token Security: Keeping Your Secrets… Not So Secretly

user profile
Security Researcher

This is the full story of the vulnerability we have discovered within Visual Studio Code (VS Code) concerning the handling of secure token storage. While designed for isolated storage for each extension, this vulnerability presents a high-risk “Token Stealing” attack. A malicious extension could expose third-party application tokens “securely stored” by your VS Code IDE, posing significant risks to entire organizations.

Developers should be cautious with VS Code extensions that integrate with third-party applications, as these extensions store tokens in the IDE storage, making them vulnerable to potential theft by malicious extensions. Staying aware of this risk is essential to ensure the protection of both personal and organizational security.

In the world of software development, Visual Studio Code (VS Code) has become a popular and powerful code editor known for its wide range of extensions. These extensions provide developers with extra tools and features to enhance their coding experience. These extensions often rely on tokens to enable seamless integration with external services and APIs. However, our findings reveal the existence of a hidden security vulnerability that presents a significant risk to users and organizations utilizing extensions with tokens.

In VS Code, extensions store tokens provided by developers to integrate with third-party systems. VS Code offers a secure and isolated solution for storing these tokens within the operating system. However, our research uncovered a new attack vector in this functionality. We developed a proof-of-concept malicious extension that successfully retrieved tokens not only from other extensions but also from VS Code’s built-in login and sync functionality for GitHub and Microsoft accounts, presenting a “Token Stealing” attack. This vulnerability extends beyond individual computers and poses a potential risk to organizations, as these tokens often belong to organization user accounts. Our findings highlight the urgent need for enhanced security measures and greater security of extension permissions within the dynamic VS Code ecosystem.

In this article, we explore this security loophole in VS Code and its implications for users relying on them. We provide a detailed account of our journey, starting with a demonstration of our initial proof of concept (POC). Then, we delve into the technical aspects of the exploit and highlight an additional bug we discovered. After explaining the significance of this vulnerability, we give suggestions on how to protect your systems.

Let’s uncover the depths of this issue together and ensure the security of your organization’s valuable resources.

The Building Blocks of VS Code Extensions

Designed to augment the editor’s functionality, VS Code extensions primarily rely on two core files: extension.js (or extension.ts) and package.json. The extension.js or extension.ts file controls the extension’s behavior, including interacting with the VS Code API. package.json defines the extension’s metadata and permissions, as well as when and how the extension is loaded in the editor.
As part of the VS Code environment, extensions have a set of privileges that allow them to interact with the system. They can read and write files, execute commands, and access secrets stored by VS Code in their context, depending on the API they’re using and the permissions granted to them.

Modifying Extensions Code Using a Dummy Extension

Let’s consider a scenario where we create a basic dummy extension whose sole purpose is to modify another extension’s code. In this case, we’ll look at the CircleCI extension – a popular CI system. The objective is to alter the uglified extension.js code of CircleCI to print out the token.
In the code snippet from CircleCI’s extension, we incorporate a command that reveals the token. Alternatively, this command could be programmed to send the token to our server.

Reload VS Code, and then in the developer’s console:

Voila! 💃

Though it sounds straightforward, it’s important to note that this method would require specific adjustments and research for each extension targeted due to differences in their respective codes. Furthermore, the malicious extension m