Raul Onitza-Klugman & Kirill Efimov

Vulnerable VS Code extensions are now at your front door

Could your favorite VS Code extension be stealing your SSH keys? This talk reveals how a single flaw can lead to total system compromise.

Vulnerable VS Code extensions are now at your front door
#1about 5 minutes

The expanding role of developers in security

Digital transformation has shifted infrastructure and security responsibilities to developers, increasing their value as an attack target.

#2about 3 minutes

Integrating security earlier in the development lifecycle

Security testing has shifted left to integrate with agile development, making developers responsible for triaging issues like transitive dependency vulnerabilities.

#3about 6 minutes

Common attacks targeting software developers

Attackers compromise developers through methods like dependency confusion, unpatched vulnerabilities, and malicious packages to initiate supply chain attacks.

#4about 5 minutes

Why VS Code extensions are a major attack surface

VS Code's massive popularity and its extensive, under-researched extension marketplace make it a prime target for compromising developers.

#5about 2 minutes

Building a pipeline to analyze VS Code extensions

A processing pipeline was built to download all marketplace extensions, extract their source, and run static and dynamic analysis to find vulnerabilities.

#6about 5 minutes

Exploiting path traversal in the Instant Markdown extension

The Instant Markdown extension runs a local web server with a path traversal vulnerability, allowing an attacker to access arbitrary files on the user's machine.

#7about 8 minutes

Bypassing browser security to attack local servers

A malicious website can exploit a local server by using an XSS vulnerability to bypass CORS and exfiltrate data from the victim's machine.

#8about 3 minutes

Demo: Stealing SSH keys via a vulnerable extension

This demonstration shows how visiting a malicious link triggers an exploit chain that steals a local SSH key through the vulnerable Instant Markdown extension.

#9about 5 minutes

Remote code execution in the LaTeX Workshop extension

The LaTeX Workshop extension was vulnerable to remote code execution through a WebSocket connection that could trigger a VS Code API to open local applications.

#10about 3 minutes

Impact, disclosure, and mitigation strategies

Vulnerable extensions can lead to full supply chain attacks, but responsible disclosure led to quick fixes, and developers can mitigate risk through extension hygiene.

Related jobs
Jobs that call for the skills explored in this talk.

Designer

Andrew Comp

Andrew Comp
Berlin, Germany

Intermediate
Java
JavaScript

Matching moments

Why VS Code extensions are a prime target
05:03 MIN

Why VS Code extensions are a prime target

Vue3 practical development

Unlock full access

Log in or set up an account to access this feature and more.

Impact and mitigation of extension vulnerabilities
03:03 MIN

Impact and mitigation of extension vulnerabilities

Vue3 practical development

Unlock full access

Log in or set up an account to access this feature and more.

Why developers are a prime target for attackers
04:54 MIN

Why developers are a prime target for attackers

You click, you lose: a practical look at VSCode's security

Unlock full access

Log in or set up an account to access this feature and more.

When attackers target the developer's own tools
01:20 MIN

When attackers target the developer's own tools

Stranger Danger: Your Java Attack Surface Just Got Bigger

Unlock full access

Log in or set up an account to access this feature and more.

Key takeaways on IDE and developer tool security
02:28 MIN

Key takeaways on IDE and developer tool security

You click, you lose: a practical look at VSCode's security

Unlock full access

Log in or set up an account to access this feature and more.

Exfiltrating local files via a VS Code extension
05:29 MIN

Exfiltrating local files via a VS Code extension

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Unlock full access

Log in or set up an account to access this feature and more.

Risks of exposed network services in extensions
02:11 MIN

Risks of exposed network services in extensions

You click, you lose: a practical look at VSCode's security

Unlock full access

Log in or set up an account to access this feature and more.

Developers as an unintentional malware distribution vehicle
03:36 MIN

Developers as an unintentional malware distribution vehicle

Walking into the era of Supply Chain Risks

Unlock full access

Log in or set up an account to access this feature and more.

Featured Partners

Related Videos

See all videos
Vue3 practical development44:11

Vue3 practical development

Mikhail Kuznetcov

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Oops! Stories of supply chain shenanigans43:57

Oops! Stories of supply chain shenanigans

Zbyszek Tenerowicz

You click, you lose: a practical look at VSCode's security29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

Let's build a VS Code extension for automated refactorings1:40:08

Let's build a VS Code extension for automated refactorings

Nicolas Carlo

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
LM
Luis Minvielle
8 Best Edge Extensions And Addons For Developers
As modern web applications become increasingly complex, developers rely on a range of tools and extensions to optimise their workflow and streamline their debugging process. From language translation to spelling and grammar checks, the right tools ca...
8 Best Edge Extensions And Addons For Developers
AM
Ashutosh Mishra
19 Great VS Code Extensions
Great VS Code ExtensionsAs a developer, your code editor is your most important tool. One of the perks of using VS code is the numerous extensions available to enhance your workflow. In this article, we’ll explore some of the best VS code extensions ...
19 Great VS Code Extensions
CH
Chris Heilmann
Dev Digest 110 - XY marks the spotty security
This time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...
Dev Digest 110 - XY marks the spotty security

From learning to earning

Jobs that call for the skills explored in this talk.