Microsoft Visual Studio Code flaw lets extensions steal passwords
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world, curated by the team at ReversingLabs.
This week: A Microsoft Visual Studio Code flaw allows for authentication token theft via malicious extensions. Once leveraged, the possibilities for exploits are numerous.
This Week’s Top Story
Both the development environment and the code editor in the Microsoft Visual Studio Code (VS Code) platform hold a potentially catastrophic flaw. The flaw, discovered by Cycode researchers, allows threat actors to use malicious extensions to steal authentication tokens stored in Linux, Windows, and macOS credential management systems. A threat actor gaining access to a token via a malicious extension is akin to opening Pandora’s Box with countless options for actors ranging from unauthorized system access, to data breaches, and more.
The ability to steal a token stems from the lack of isolation of the VS Code’s ‘Secret Storage,’ the API that allows extensions that are non-GitHub/Microsoft to store their tokens. With this open system an extension can gain access to the ‘Secret Storage,’ and its operator - Keytar - allowing the theft of any token an actor fancies taking. Even before the token is taken there are many pathways into the ‘Secret Storage.’ Cycode researchers when redteaming the platform found first an easy method of taking the tokens. All they needed to do was modify a third-party extension to run a command that would expose its secure token, sending it straight to the researcher's server. Eventually, researchers developed a more versatile method that led to extracting secrets without tampering with the target extension's code. The ability of both a simple attack method and a more complex one shows this flaw can be leveraged by almost any skill set. Once leveraged Pandora’s Box is wide open.
Despite this alarming flaw, Microsoft seems untroubled. It has been two months since Cycode sent their report to the company, and they have yet to fix this flaw, nor issue any warning. To Microsoft’s engineers it is not a concern, and claim that extensions are not meant, nor expected to be, sandboxed from the development environment. So, to any developers using VS Code - be aware, and stay vigilant.
This Week’s Headlines
GitHub has announced an upgrade in their platform that will mean secrets are more secure. The feature that enhances the security is called Push Protection, which has been made available to all versus the previous small subgroup. Push Protection is also undergoing some changes with two new developments. One allows for users to protect their work across the platform with a simple toggle on their personal account settings. The second change allows heads of organizations to access metrics relating to secret security. (Analytics India Magazine )
The Kubernetes (K8) clusters of more than 350 organizations are openly accessible and unprotected. Even more concerning is about half of the clusters have already been breached and have faced an active campaign with deployed malware. Two misconfigurations lead to the K8 clusters sitting virtually unprotected: one that allows anonymous access with privileges and another that exposes them to the internet. (CSO Online )
An open source toolkit, ‘Merlin,’ meant to be used by redteamers, has been comendered by attackers to target Ukrainian state organizations. Merlin allows for attackers to gain a foothold in a target’s network to then launch an attack, and laterally move through the system. The toolkit seems to be launched via a phishing email that attempts to get recipients to download files that should harden their MS Office suite. (Bleeping Computer )
Recommended by LinkedIn
A figurative bomb was dropped at Black Hat: While important, SBOMs alone are not enough to secure the software supply chain. Instead, people should use binary source validation. Binary source validation means inspecting software at a layer deeper than the source code, looking at the build artifacts created while coding, and validating them as legitimate. In layman’s terms it is a deeper look into the components of the code than that of a SBOM. By checking these more minuscule details one hopes to catch the more complex attacks, i.e SolarWinds, Log4j, etc., before they start. (Dark Reading )
Open source project Moq slyly included a controversial dependency in one of their latest releases: The addition of the SponsorLink project. The move raised people’s guard due to SponsorLink actually being a closed sourced project that collects hashes of users' emails to send to its content delivery network (CDN). Backlash ensued quickly due to privacy concerns raised by users, and comments on the shady ethical lines. The company as of August 10th has removed the connection to SponsorLink in the latest release: 4.20.2. (Bleeping Computer )
Resource Round Up
ReversingGlass Video: Why the time is NOW for Software Supply Chain Security
In this episode, ReversingLabs Field CISO Matt Rose explains why organizations need to strengthen their software supply chain security efforts immediately, given the increase in both the speed and complexity of development environments.
August 16 - Join Daniel Gallo , Solution Engineer, JetBrains -TeamCity and Igor Lasic , SVP Engineering, ReversingLabs, as they discuss approaches to overcome the challenges that DevSecOps teams face in defending their CI/CD environments against multiple attack vectors and threats. [Register Now ]
Webinar: Black Hat… Now What?
August 23 - Whether or not you were able to attend the events of Hacker Summer Camp in person, the event’s impact can not be ignored. Join top thought leaders and authors; Freakyclown , Derek Fisher , and Chris Hughes , in this special post-Black Hat event as they discuss the highs and lows of one of the biggest weeks in cybersecurity. [Register Now ]