Visual Studio Code is a free and open source source code editor developed by Microsoft. It has become one of the most popular tools among developers due to its flexibility, support for a variety of programming languages and technologies, wide range of extensions installable and usable.
The problem that has emerged in these hours is that the developers of extensions for Visual Studio Code could eventually take advantage of a security vulnerability to recover the credentials stored in password managers di Windows, Linux e macOS.
Cycode researchers discovered that by exploiting an inherent loophole in Visual Studio Code, it is possible to recover authorization tokens of each user or the elements that allow access to platforms such as GitHub, Git, AWS, Docker/Kubernetes, Microsoft and so on, without typing any credentials.
Unauthorized access to authorization tokens stored at the operating system level
Cycode experts explain that Visual Studio Code provides a special extension for installed extensions API for accessing tokens saved on your system. The operation exploits Keytara component of the Microsoft editor that oversees communication with the Windows credential manager and with the Linux and macOS “keychains.”
Any extension uploaded together with Visual Studio Code, can gain access to the secret archive and abuse it Keytar per retrieve the token in an unauthorized way.
The basic problem, in fact, is that any extension has the right to access the keychain containing the authorization tokens because it runs within the application (Visual Studio Code, in fact) to which the operating system has already granted access to the local manager of passwords.
Cycode points out that the tokens are encrypted with the algorithm AES-256-GCM, which is usually absolutely safe. However, the key used for cipher in token it is derived from the path of the executable and from the machine ID: therefore it is quite simple to trace the cryptographic key actually in use.
Furthermore, a second shortcoming identified in Visual Studio Code allows the developer of amalicious extension to directly acquire access to tokens managed by another extension.
Microsoft has indicated that it will not fix the security issue
The researchers privately shared the results of their audits with Microsoft two months ago. However, the technicians of the company led by Satya Nadella did not feel they had to solve the problem by not detecting any imminent threat.
Is it true that for a developer who downloads and installs an extension from unreliable sources there are few excuses. And it is equally true that if you run a malicious component on the system, the consequences can be extremely serious (it would therefore be necessary to act upstream and prevent this from happening). That said, though, is the lack of isolation between the system component that manages the tokens and the individual extensions to make the attack easier.