Image: ChatGPT
A github.dev flaw could let attackers steal GitHub OAuth tokens through a one-click attack, exposing private repositories and codebases.
A single click on the wrong repository could have put a developer’s GitHub access at risk.
Security researcher Ammar Askar disclosed a zero-day vulnerability in github.dev, GitHub’s browser-based VSCode environment, that could expose GitHub OAuth tokens through a flaw in VSCode webviews. Those tokens could give attackers access to repositories and organizational code available to the affected developer.
Microsoft introduced mitigations on June 3, according to Askar’s disclosure timeline, but the bug is a sharp reminder of how much trust modern development workflows place in browser-based coding tools.
VSCode is a desktop coding tool owned by Microsoft, the same company that owns GitHub, a code management platform. Over time, Microsoft has tightly integrated both tools to make moving between coding and code management seamless.
One example is github.dev, a browser-based version of VSCode that lets developers open and edit repositories directly from GitHub using GitHub OAuth credentials. According to security researcher Ammar Askar, trusted integration is what made the vulnerability possible.
Askar notes that the attacker begins by tricking a developer into opening a compromised repository using github.dev. The repository, in turn, loads a malicious extension into the workspace.
The issue stems from the way the extension communicates with VSCode via a webview. According to Askar, a bug in github.dev’s webview allowed a malicious extension to escape the sandbox and steal GitHub tokens, enabling an attacker to impersonate the developer.
Beyond having read access, the attacker could also gain write access to available repositories. That could let them delete codebases, clone private repositories, or push malicious code to production software.
For a better understanding of how this works, refer to the proof-of-concept Askar dumped.
Aside from being careful with the repositories they open, developers can also protect against this vulnerability by clearing cached data for github.dev.
To do that:
The exact steps for this will depend on your browser.
The vulnerability was not left unaddressed for long. Askar’s disclosure timeline shows that GitHub received an hour’s notice before publication, with Microsoft introducing an initial safeguard on June 3 and following it up with a broader fix later that day. That response reduces the immediate risk, but the disclosure highlights how valuable GitHub authentication tokens can be if stolen.
Also read: Grafana refused a ransom demand after attackers used a stolen GitHub token to download code from private repositories.
Joseph is a Technical Writer with about 3 years of experience in the industry, also advancing a career in cyber threat intelligence. He is passionate about the responsible use of technology, a passion that led him into cybersecurity. As an undergrad, he leads a novel community of technology enthusiasts at his school, NOUN, where he guides and shares resources for beginners in tech. His writing experience includes writing on a diverse range of topics, from consumer tech to startups and tutorials. Additionally, he periodically shares case studies and research reports on cybersecurity on his social media pages.
