Github.Dev Vulnerability Lets Attackers Steal Tokens With One Click
The vulnerability turns a convenience feature of github.dev into a one-click token theft vector, putting private repositories at risk for any user who clicks a crafted link.
Reporting from 1 sources: GIGAZINE.
A security researcher has disclosed a vulnerability in GitHub's browser-based development environment github.dev that allows an attacker to steal a user's GitHub authentication token by tricking them into clicking a single link. The bug exploits a mechanism in VS Code's Webview feature to execute an attacker-prepared extension.
Security researcher Ammar Askar has reported a vulnerability in github.dev, GitHub's browser-based development environment. The bug allows an attacker to steal a user's GitHub OAuth token with a single click on a crafted link. The attack exploits a mechanism in VS Code's Webview feature that relays keyboard operations from isolated display areas to the editor's main body. Scripts running inside a Webview can send programmatically generated key operations, faking shortcut sequences that install an attacker-prepared extension. Once the extension runs, it can access the GitHub API token used by github.dev and query private repositories. Askar's proof of concept displays the stolen token and private repository list in an info box; a real attack could send that data to an attacker's server.
Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.