Thomas Chauchefoin & Paul Gerste
You click, you lose: a practical look at VSCode's security
#1about 5 minutes
Why developers are a prime target for attackers
Opening a seemingly harmless project in VS Code can lead to arbitrary code execution because developers have privileged access to systems and code.
#2about 6 minutes
Understanding the architecture of VS Code
VS Code is built on Electron and separates its components into privileged Node.js processes and less-privileged renderer processes for the UI.
#3about 2 minutes
Risks of exposed network services in extensions
Some VS Code components and extensions expose web servers or debuggers on the local network, creating attack vectors for websites or local network actors.
#4about 5 minutes
Exploiting protocol handlers for code execution
The custom `vscode://` protocol handler can be abused through argument injection in built-in extensions like Git, allowing a malicious link to execute arbitrary commands.
#5about 6 minutes
Bypassing workspace trust with malicious configurations
While Workspace Trust aims to prevent attacks from project-specific settings, vulnerabilities in extensions that run in untrusted mode, like the Git extension, can still lead to code execution.
#6about 4 minutes
Escalating cross-site scripting to code execution
Cross-site scripting (XSS) vulnerabilities in components like the Markdown preview can be escalated to full remote code execution by sending messages to the privileged workbench UI.
#7about 2 minutes
Key takeaways on IDE and developer tool security
Security for developer tools is often an afterthought, and features like Workspace Trust are essential for establishing clear security boundaries against attacks.
Related jobs
Jobs that call for the skills explored in this talk.
Matching moments
14:05 MIN
Why VS Code extensions are a prime target
Vue3 practical development
14:05 MIN
Why VS Code extensions are a major attack surface
Vulnerable VS Code extensions are now at your front door
05:30 MIN
Securing developer access and development tools
Securing your application software supply-chain
09:03 MIN
When attackers target the developer's own tools
Stranger Danger: Your Java Attack Surface Just Got Bigger
36:26 MIN
Remote code execution in the LaTeX Workshop extension
Vulnerable VS Code extensions are now at your front door
08:16 MIN
Common attacks targeting software developers
Vulnerable VS Code extensions are now at your front door
00:28 MIN
Why developers make basic cybersecurity mistakes
Don't Be A Naive Developer: How To Avoid Basic Cybersecurity Mistakes
15:35 MIN
Modern cybersecurity challenges for developers
Cyber Security: Small, and Large!
Featured Partners
Related Videos
44:11Vulnerable VS Code extensions are now at your front door
Raul Onitza-Klugman & Kirill Efimov
29:50Real-World Security for Busy Developers
Kevin Lewis
33:29Programming secure C#/.NET Applications: Dos & Don'ts
Sebastian Leuer
27:10Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
Sonya Moisset
28:41101 Typical Security Pitfalls
Alexander Pirker
30:54Cross Site Scripting is yesterday's news, isn't it?
Martina Kraus
44:11Vue3 practical development
Mikhail Kuznetcov
25:28How GitHub secures open source
Joseph Katsioloudes
From learning to earning
Jobs that call for the skills explored in this talk.
Embedded Security Engineer - Schwachstellenanalyse | Car IT | Secure Coding
Prognum Automotive GmbH
Remote
C++
IT-Security Engineer Awarness Training and Security Roadmap
Paris Lodron-Universität Salzburg
Powershell
Windows Server
Microsoft Office
Scripting (Bash/Python/Go/Ruby)