Thomas Chauchefoin & Paul Gerste

You click, you lose: a practical look at VSCode's security

Your IDE is a primary attack vector. See how a malicious Git config can execute code before you even respond to the trust prompt.

You click, you lose: a practical look at VSCode's security
#1about 5 minutes

Why developers are a prime target for attackers

Opening a seemingly harmless project in VS Code can lead to arbitrary code execution because developers have privileged access to systems and code.

#2about 6 minutes

Understanding the architecture of VS Code

VS Code is built on Electron and separates its components into privileged Node.js processes and less-privileged renderer processes for the UI.

#3about 2 minutes

Risks of exposed network services in extensions

Some VS Code components and extensions expose web servers or debuggers on the local network, creating attack vectors for websites or local network actors.

#4about 5 minutes

Exploiting protocol handlers for code execution

The custom `vscode://` protocol handler can be abused through argument injection in built-in extensions like Git, allowing a malicious link to execute arbitrary commands.

#5about 6 minutes

Bypassing workspace trust with malicious configurations

While Workspace Trust aims to prevent attacks from project-specific settings, vulnerabilities in extensions that run in untrusted mode, like the Git extension, can still lead to code execution.

#6about 4 minutes

Escalating cross-site scripting to code execution

Cross-site scripting (XSS) vulnerabilities in components like the Markdown preview can be escalated to full remote code execution by sending messages to the privileged workbench UI.

#7about 2 minutes

Key takeaways on IDE and developer tool security

Security for developer tools is often an afterthought, and features like Workspace Trust are essential for establishing clear security boundaries against attacks.

Related jobs
Jobs that call for the skills explored in this talk.

job ad

Saby Company
Delebio, Italy

Intermediate

d

Saby Company
Delebio, Italy

Junior

Matching moments

When attackers target the developer's own tools
09:03 MIN

When attackers target the developer's own tools

Stranger Danger: Your Java Attack Surface Just Got Bigger

Why VS Code extensions are a prime target
14:05 MIN

Why VS Code extensions are a prime target

Vue3 practical development

Why VS Code extensions are a major attack surface
14:05 MIN

Why VS Code extensions are a major attack surface

Vulnerable VS Code extensions are now at your front door

Securing developer access and development tools
05:30 MIN

Securing developer access and development tools

Securing your application software supply-chain

Exploring specific web vulnerabilities and filtering issues
33:08 MIN

Exploring specific web vulnerabilities and filtering issues

WeAreDevelopers LIVE - Chrome for Sale? Comet - the upcoming perplexity browser Stealing and leaking

Common security failures beyond individual coding errors
05:28 MIN

Common security failures beyond individual coding errors

Maturity assessment for technicians or how I learned to love OWASP SAMM

Recent news on security, AI governance, and data privacy
07:55 MIN

Recent news on security, AI governance, and data privacy

WeAreDevelopers LIVE - Dapr / Pixels and Generative Art / Open Source and Communities / and more

Remote code execution in the LaTeX Workshop extension
36:26 MIN

Remote code execution in the LaTeX Workshop extension

Vulnerable VS Code extensions are now at your front door

Featured Partners

Related Videos

See all videos
Vulnerable VS Code extensions are now at your front door44:11

Vulnerable VS Code extensions are now at your front door

Raul Onitza-Klugman & Kirill Efimov

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

Programming secure C#/.NET Applications: Dos & Don'ts33:29

Programming secure C#/.NET Applications: Dos & Don'ts

Sebastian Leuer

Cross Site Scripting is yesterday's news, isn't it?30:54

Cross Site Scripting is yesterday's news, isn't it?

Martina Kraus

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Vue3 practical development44:11

Vue3 practical development

Mikhail Kuznetcov

Software Security 101: Secure Coding Basics1:58:48

Software Security 101: Secure Coding Basics

Thomas Konrad

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
CH
Chris Heilmann
Dev Digest 110 - XY marks the spotty security
This time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...
Dev Digest 110 - XY marks the spotty security
CH
Chris Heilmann
Dev Digest 131 - AI'm not sure about OSS
News and ArticlesRust and Typescript are rising stars in programming languages 2024 survey, the State of CSS 2024 survey is open and here is what's new in ECMAScript.In security news, a Microsoft update bricks Linux dual-boot systems, they patched a ...
Dev Digest 131 - AI'm not sure about OSS

From learning to earning

Jobs that call for the skills explored in this talk.