Thomas Chauchefoin & Paul Gerste

You click, you lose: a practical look at VSCode's security

Your IDE is a primary attack vector. See how a malicious Git config can execute code before you even respond to the trust prompt.

You click, you lose: a practical look at VSCode's security
#1about 5 minutes

Why developers are a prime target for attackers

Opening a seemingly harmless project in VS Code can lead to arbitrary code execution because developers have privileged access to systems and code.

#2about 6 minutes

Understanding the architecture of VS Code

VS Code is built on Electron and separates its components into privileged Node.js processes and less-privileged renderer processes for the UI.

#3about 2 minutes

Risks of exposed network services in extensions

Some VS Code components and extensions expose web servers or debuggers on the local network, creating attack vectors for websites or local network actors.

#4about 5 minutes

Exploiting protocol handlers for code execution

The custom `vscode://` protocol handler can be abused through argument injection in built-in extensions like Git, allowing a malicious link to execute arbitrary commands.

#5about 6 minutes

Bypassing workspace trust with malicious configurations

While Workspace Trust aims to prevent attacks from project-specific settings, vulnerabilities in extensions that run in untrusted mode, like the Git extension, can still lead to code execution.

#6about 4 minutes

Escalating cross-site scripting to code execution

Cross-site scripting (XSS) vulnerabilities in components like the Markdown preview can be escalated to full remote code execution by sending messages to the privileged workbench UI.

#7about 2 minutes

Key takeaways on IDE and developer tool security

Security for developer tools is often an afterthought, and features like Workspace Trust are essential for establishing clear security boundaries against attacks.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

When attackers target the developer's own tools
01:20 MIN

When attackers target the developer's own tools

Stranger Danger: Your Java Attack Surface Just Got Bigger

Navigating security risks in modern development tools
02:37 MIN

Navigating security risks in modern development tools

WeAreDevelopers LIVE – From JavaScript to WebAssembly, High-Performance Charting and More

Why VS Code extensions are a prime target
05:03 MIN

Why VS Code extensions are a prime target

Vue3 practical development

Why VS Code extensions are a major attack surface
05:03 MIN

Why VS Code extensions are a major attack surface

Vulnerable VS Code extensions are now at your front door

Securing developer access and development tools
03:16 MIN

Securing developer access and development tools

Securing your application software supply-chain

Common security failures beyond individual coding errors
03:27 MIN

Common security failures beyond individual coding errors

Maturity assessment for technicians or how I learned to love OWASP SAMM

Exploring specific web vulnerabilities and filtering issues
03:17 MIN

Exploring specific web vulnerabilities and filtering issues

WeAreDevelopers LIVE - Chrome for Sale? Comet - the upcoming perplexity browser Stealing and leaking

Introduction to developer-first security and CTFs
04:09 MIN

Introduction to developer-first security and CTFs

Capture the Flag 101

Featured Partners

Related Videos

See all videos
Software Security 101: Secure Coding Basics1:58:48

Software Security 101: Secure Coding Basics

Thomas Konrad

Security Pitfalls for Software Engineers27:32

Security Pitfalls for Software Engineers

Jasmin Azemović

Vulnerable VS Code extensions are now at your front door44:11

Vulnerable VS Code extensions are now at your front door

Raul Onitza-Klugman & Kirill Efimov

Cyber Security: Small, and Large!37:32

Cyber Security: Small, and Large!

Martin Schmiedecker

A Primer in Single Page Application Security (Angular, React, Vue.js)36:39

A Primer in Single Page Application Security (Angular, React, Vue.js)

Thomas Konrad

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

Programming secure C#/.NET Applications: Dos & Don'ts33:29

Programming secure C#/.NET Applications: Dos & Don'ts

Sebastian Leuer

Related Articles

View all articles
DC
Daniel Cranney
Dev Digest 214: Claude Is Leaking, GitHub Is Listening & Axios Hacked!
Inside last week’s Dev Digest 214 . 🕵️ Claude source code leaked, analysed and re-written in 2 days 🐙 GitHub auto-opts users into feeding their code to train their AI 🌐 Pretext shows how to show complex text rendering in the browser 🤖 How to securin...
Dev Digest 214: Claude Is Leaking, GitHub Is Listening & Axios Hacked!
DC
Daniel Cranney
The Overflow: 5 Security and Privacy Tools for Developers
We’re back again with another edition of the Overflow, where we share some of the best tools we’ve found from around the web that we just couldn’t cram into the already jam-packed editions of the Dev Digest. So let’s take a look at five security and ...
The Overflow: 5 Security and Privacy Tools for Developers
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?

From learning to earning

Jobs that call for the skills explored in this talk.

Fullremote

Fullremote

Devsecops

40-60K
Azure
Linux
Jenkins
Terraform
+3