Thomas Chauchefoin & Paul Gerste

Sep 27, 2023 • World Congress 2023

You click, you lose: a practical look at VSCode's security

Your IDE is a primary attack vector. See how a malicious Git config can execute code before you even respond to the trust prompt.

#1about 5 minutes

Why developers are a prime target for attackers

Opening a seemingly harmless project in VS Code can lead to arbitrary code execution because developers have privileged access to systems and code.

#2about 6 minutes

Understanding the architecture of VS Code

VS Code is built on Electron and separates its components into privileged Node.js processes and less-privileged renderer processes for the UI.

#3about 2 minutes

Risks of exposed network services in extensions

Some VS Code components and extensions expose web servers or debuggers on the local network, creating attack vectors for websites or local network actors.

#4about 5 minutes

Exploiting protocol handlers for code execution

The custom `vscode://` protocol handler can be abused through argument injection in built-in extensions like Git, allowing a malicious link to execute arbitrary commands.

#5about 6 minutes

Bypassing workspace trust with malicious configurations

While Workspace Trust aims to prevent attacks from project-specific settings, vulnerabilities in extensions that run in untrusted mode, like the Git extension, can still lead to code execution.

#6about 4 minutes

Escalating cross-site scripting to code execution

Cross-site scripting (XSS) vulnerabilities in components like the Markdown preview can be escalated to full remote code execution by sending messages to the privileged workbench UI.

#7about 2 minutes

Key takeaways on IDE and developer tool security

Security for developer tools is often an afterthought, and features like Workspace Trust are essential for establishing clear security boundaries against attacks.

Andrew Comp
Berlin, Germany

Intermediate

Java

JavaScript

When attackers target the developer's own tools

01:20 MIN

When attackers target the developer's own tools

Stranger Danger: Your Java Attack Surface Just Got Bigger

Unlock full access

Log in or set up an account to access this feature and more.

Why VS Code extensions are a prime target

05:03 MIN

Why VS Code extensions are a prime target

Vue3 practical development

Unlock full access

Log in or set up an account to access this feature and more.

Why VS Code extensions are a major attack surface

05:03 MIN

Why VS Code extensions are a major attack surface

Vulnerable VS Code extensions are now at your front door

Unlock full access

Log in or set up an account to access this feature and more.

Securing developer access and development tools

03:16 MIN

Securing developer access and development tools

Securing your application software supply-chain

Unlock full access

Log in or set up an account to access this feature and more.

Exploring specific web vulnerabilities and filtering issues

03:17 MIN

Exploring specific web vulnerabilities and filtering issues

WeAreDevelopers LIVE - Chrome for Sale? Comet - the upcoming perplexity browser Stealing and leaking

Unlock full access

Log in or set up an account to access this feature and more.

Common security failures beyond individual coding errors

03:27 MIN

Common security failures beyond individual coding errors

Maturity assessment for technicians or how I learned to love OWASP SAMM

Unlock full access

Log in or set up an account to access this feature and more.

Recent news on security, AI governance, and data privacy

08:41 MIN

Recent news on security, AI governance, and data privacy

WeAreDevelopers LIVE - Dapr / Pixels and Generative Art / Open Source and Communities / and more

Unlock full access

Log in or set up an account to access this feature and more.

Remote code execution in the LaTeX Workshop extension

04:42 MIN

Remote code execution in the LaTeX Workshop extension

Vulnerable VS Code extensions are now at your front door

Unlock full access

Log in or set up an account to access this feature and more.

Featured Partners

Software Security 101: Secure Coding Basics

Software Security 101: Secure Coding Basics

Thomas Konrad

about 5 years ago • World Congress 2021

Security Pitfalls for Software Engineers

Security Pitfalls for Software Engineers

Jasmin Azemović

about 2 years ago • World Congress 2023

A Primer in Single Page Application Security (Angular, React, Vue.js)

A Primer in Single Page Application Security (Angular, React, Vue.js)

Thomas Konrad

about 5 years ago • WeAreDevelopers LIVE

Vulnerable VS Code extensions are now at your front door

Vulnerable VS Code extensions are now at your front door

Raul Onitza-Klugman & Kirill Efimov

about 4 years ago • JavaScript Congress

Cyber Security: Small, and Large!

Cyber Security: Small, and Large!

Martin Schmiedecker

about 4 years ago • WeAreDevelopers LIVE

You can’t hack what you can’t see

You can’t hack what you can’t see

Reto Kaeser

about 5 years ago • WeAreDevelopers LIVE

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

about 2 years ago • World Congress 2023

Real-World Security for Busy Developers

Real-World Security for Busy Developers

Kevin Lewis

about 6 months ago • World Congress 2025

Related Articles

View all articles

CH

Chris Heilmann

Dev Digest 138 - Are you secure about this?

Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...

Dev Digest 138 - Are you secure about this?

CH

Chris Heilmann

Dev Digest 110 - XY marks the spotty security

This time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...

Dev Digest 110 - XY marks the spotty security

CH

Chris Heilmann

The Future of Open Source: A Deep Dive - Scott Chacon at WeAreDevelopers World Congress 2024

Scott gave us an exciting look into the future of open source in his talk at the WeAreDevelopers World Congress 2024! Discover how the community evolves, lessons from GitHub, and the challenges of today's open source landscape. Check out the video:He...

The Future of Open Source: A Deep Dive - Scott Chacon at WeAreDevelopers World Congress 2024

CH

Chris Heilmann

Dev Digest 131 - AI'm not sure about OSS

News and ArticlesRust and Typescript are rising stars in programming languages 2024 survey, the State of CSS 2024 survey is open and here is what's new in ECMAScript.In security news, a Microsoft update bricks Linux dual-boot systems, they patched a ...

Dev Digest 131 - AI'm not sure about OSS

From learning to earning

Jobs that call for the skills explored in this talk.

Web-Entwickler JAVA / JavaScript mit Fokus Security | Security by Design, Softwarearchitektur (mwd)

Vesterling Consulting GmbH

€70-90K

Software Architecture

Software Security Engineer - C++ / Java / Python

Workwise GmbH

Fullstack Security Engineer - PHP / TypeScript / SQL

Pflegecampus21 GmbH

Remote

€55-80K

MySQL

DevOps

TypeScript

Security and Vulnerability Engineer

Ateca Consulting

Cybersecurity Specialist for Vulnerability Management

Green Tech Valley Cluster GmbH

Consultant DevSecOps/Application Security

NTT DATA Deutschland GmbH

Remote

Node.js

Continuous Integration

Consultant DevSecOps/Application Security

NTT DATA Deutschland GmbH

Remote

Node.js

Continuous Integration

Consultant DevSecOps/Application Security

NTT DATA Deutschland GmbH

Remote

Node.js

Continuous Integration

Software Entwickler Cyber Security

Excellence AG

Kotlin

Kubernetes

Apache Kafka

Microservices

Continuous Delivery

+1