Thomas Chauchefoin & Paul Gerste

You click, you lose: a practical look at VSCode's security

Your IDE is a primary attack vector. See how a malicious Git config can execute code before you even respond to the trust prompt.

You click, you lose: a practical look at VSCode's security
#1about 5 minutes

Why developers are a prime target for attackers

Opening a seemingly harmless project in VS Code can lead to arbitrary code execution because developers have privileged access to systems and code.

#2about 6 minutes

Understanding the architecture of VS Code

VS Code is built on Electron and separates its components into privileged Node.js processes and less-privileged renderer processes for the UI.

#3about 2 minutes

Risks of exposed network services in extensions

Some VS Code components and extensions expose web servers or debuggers on the local network, creating attack vectors for websites or local network actors.

#4about 5 minutes

Exploiting protocol handlers for code execution

The custom `vscode://` protocol handler can be abused through argument injection in built-in extensions like Git, allowing a malicious link to execute arbitrary commands.

#5about 6 minutes

Bypassing workspace trust with malicious configurations

While Workspace Trust aims to prevent attacks from project-specific settings, vulnerabilities in extensions that run in untrusted mode, like the Git extension, can still lead to code execution.

#6about 4 minutes

Escalating cross-site scripting to code execution

Cross-site scripting (XSS) vulnerabilities in components like the Markdown preview can be escalated to full remote code execution by sending messages to the privileged workbench UI.

#7about 2 minutes

Key takeaways on IDE and developer tool security

Security for developer tools is often an afterthought, and features like Workspace Trust are essential for establishing clear security boundaries against attacks.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

When attackers target the developer's own tools
01:20 MIN

When attackers target the developer's own tools

Stranger Danger: Your Java Attack Surface Just Got Bigger

Navigating security risks in modern development tools
02:37 MIN

Navigating security risks in modern development tools

WeAreDevelopers LIVE – From JavaScript to WebAssembly, High-Performance Charting and More

Why VS Code extensions are a prime target
05:03 MIN

Why VS Code extensions are a prime target

Vue3 practical development

Why VS Code extensions are a major attack surface
05:03 MIN

Why VS Code extensions are a major attack surface

Vulnerable VS Code extensions are now at your front door

Securing developer access and development tools
03:16 MIN

Securing developer access and development tools

Securing your application software supply-chain

Common security failures beyond individual coding errors
03:27 MIN

Common security failures beyond individual coding errors

Maturity assessment for technicians or how I learned to love OWASP SAMM

Exploring specific web vulnerabilities and filtering issues
03:17 MIN

Exploring specific web vulnerabilities and filtering issues

WeAreDevelopers LIVE - Chrome for Sale? Comet - the upcoming perplexity browser Stealing and leaking

Introduction to developer-first security and CTFs
04:09 MIN

Introduction to developer-first security and CTFs

Capture the Flag 101

Featured Partners

Related Videos

See all videos
Software Security 101: Secure Coding Basics1:58:48

Software Security 101: Secure Coding Basics

Thomas Konrad

Security Pitfalls for Software Engineers27:32

Security Pitfalls for Software Engineers

Jasmin Azemović

Vulnerable VS Code extensions are now at your front door44:11

Vulnerable VS Code extensions are now at your front door

Raul Onitza-Klugman & Kirill Efimov

Cyber Security: Small, and Large!37:32

Cyber Security: Small, and Large!

Martin Schmiedecker

A Primer in Single Page Application Security (Angular, React, Vue.js)36:39

A Primer in Single Page Application Security (Angular, React, Vue.js)

Thomas Konrad

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

Programming secure C#/.NET Applications: Dos & Don'ts33:29

Programming secure C#/.NET Applications: Dos & Don'ts

Sebastian Leuer

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
CH
Chris Heilmann
Dev Digest 110 - XY marks the spotty security
This time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...
Dev Digest 110 - XY marks the spotty security
DC
Daniel Cranney
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI
Inside last week’s Dev Digest 198 . 🎂 30 years of JavaScript ⏰ How long is a JavaScript second 💻 Clean code in Angular 🤦‍♂️ AI makes different mistakes than humans 👨‍💻 In-browser and offline AI 🟠 Undocumented Hacker News features 🐋 DeepSeek censored...
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI

From learning to earning

Jobs that call for the skills explored in this talk.