A newly discovered zero-day vulnerability in Visual Studio Code (VS Code) allows attackers to steal GitHub authentication tokens by enticing users to click on a malicious link. This flaw, yet to be patched or assigned a CVE ID, was exposed by a security researcher who detailed how it enables the installation of harmful extensions that capture GitHub OAuth tokens. These tokens, once intercepted, provide full access to all GitHub repositories the victim can access, posing a severe security risk. Users can mitigate the threat by clearing cookies and site data for github.dev in their browser settings. The researcher opted for immediate public disclosure due to past negative experiences with Microsoft’s security response, highlighting dissatisfaction with the handling of previous VS Code bug reports. This incident is part of a broader trend of zero-day disclosures affecting Microsoft products, with the company expressing its commitment to addressing security issues promptly while acknowledging the crucial role of the security research community.
How can hackers exploit a VS Code zero-day to steal GitHub tokens?
