Raul Onitza-Klugman & Kirill Efimov

Vulnerable VS Code extensions are now at your front door

Could your favorite VS Code extension be stealing your SSH keys? This talk reveals how a single flaw can lead to total system compromise.

Vulnerable VS Code extensions are now at your front door
#1about 5 minutes

The expanding role of developers in security

Digital transformation has shifted infrastructure and security responsibilities to developers, increasing their value as an attack target.

#2about 3 minutes

Integrating security earlier in the development lifecycle

Security testing has shifted left to integrate with agile development, making developers responsible for triaging issues like transitive dependency vulnerabilities.

#3about 6 minutes

Common attacks targeting software developers

Attackers compromise developers through methods like dependency confusion, unpatched vulnerabilities, and malicious packages to initiate supply chain attacks.

#4about 5 minutes

Why VS Code extensions are a major attack surface

VS Code's massive popularity and its extensive, under-researched extension marketplace make it a prime target for compromising developers.

#5about 2 minutes

Building a pipeline to analyze VS Code extensions

A processing pipeline was built to download all marketplace extensions, extract their source, and run static and dynamic analysis to find vulnerabilities.

#6about 5 minutes

Exploiting path traversal in the Instant Markdown extension

The Instant Markdown extension runs a local web server with a path traversal vulnerability, allowing an attacker to access arbitrary files on the user's machine.

#7about 8 minutes

Bypassing browser security to attack local servers

A malicious website can exploit a local server by using an XSS vulnerability to bypass CORS and exfiltrate data from the victim's machine.

#8about 3 minutes

Demo: Stealing SSH keys via a vulnerable extension

This demonstration shows how visiting a malicious link triggers an exploit chain that steals a local SSH key through the vulnerable Instant Markdown extension.

#9about 5 minutes

Remote code execution in the LaTeX Workshop extension

The LaTeX Workshop extension was vulnerable to remote code execution through a WebSocket connection that could trigger a VS Code API to open local applications.

#10about 3 minutes

Impact, disclosure, and mitigation strategies

Vulnerable extensions can lead to full supply chain attacks, but responsible disclosure led to quick fixes, and developers can mitigate risk through extension hygiene.

Related jobs
Jobs that call for the skills explored in this talk.

job ad

Saby Company
Delebio, Italy

Intermediate

d

Saby Company
Delebio, Italy

Junior

Matching moments

Why VS Code extensions are a prime target
14:05 MIN

Why VS Code extensions are a prime target

Vue3 practical development

Impact and mitigation of extension vulnerabilities
41:08 MIN

Impact and mitigation of extension vulnerabilities

Vue3 practical development

Why developers are a prime target for attackers
00:03 MIN

Why developers are a prime target for attackers

You click, you lose: a practical look at VSCode's security

When attackers target the developer's own tools
09:03 MIN

When attackers target the developer's own tools

Stranger Danger: Your Java Attack Surface Just Got Bigger

Key takeaways on IDE and developer tool security
27:19 MIN

Key takeaways on IDE and developer tool security

You click, you lose: a practical look at VSCode's security

Exfiltrating local files via a VS Code extension
14:43 MIN

Exfiltrating local files via a VS Code extension

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Risks of exposed network services in extensions
10:27 MIN

Risks of exposed network services in extensions

You click, you lose: a practical look at VSCode's security

Developers as an unintentional malware distribution vehicle
00:02 MIN

Developers as an unintentional malware distribution vehicle

Walking into the era of Supply Chain Risks

Featured Partners

Related Videos

See all videos
You click, you lose: a practical look at VSCode's security29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

Vue3 practical development44:11

Vue3 practical development

Mikhail Kuznetcov

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

Cross Site Scripting is yesterday's news, isn't it?30:54

Cross Site Scripting is yesterday's news, isn't it?

Martina Kraus

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Stranger Danger: Your Java Attack Surface Just Got Bigger1:58:59

Stranger Danger: Your Java Attack Surface Just Got Bigger

Vandana Verma Sehgal

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
LM
Luis Minvielle
8 Best Edge Extensions And Addons For Developers
As modern web applications become increasingly complex, developers rely on a range of tools and extensions to optimise their workflow and streamline their debugging process. From language translation to spelling and grammar checks, the right tools ca...
8 Best Edge Extensions And Addons For Developers
AM
Ashutosh Mishra
19 Great VS Code Extensions
Great VS Code ExtensionsAs a developer, your code editor is your most important tool. One of the perks of using VS code is the numerous extensions available to enhance your workflow. In this article, we’ll explore some of the best VS code extensions ...
19 Great VS Code Extensions
CH
Chris Heilmann
Dev Digest 110 - XY marks the spotty security
This time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...
Dev Digest 110 - XY marks the spotty security

From learning to earning

Jobs that call for the skills explored in this talk.

DevSecOps

DevSecOps

Devsecops

40-60K
DevOps
Docker
Jenkins
Openshift
+3