Microsoft is accused of failing to implement some basic security controls on its hugely popular Visual Studio Code (VSCode) extensions marketplace. An open letter from independent researchers published on Medium reports “an incredible number of security design flaws implemented by Microsoft that provide amazing ways for threat actors to gain credibility and access.”
The researchers say the biggest security design flaw with VSCode extensions is the lack of any permission model. For example, a theme extension that should only change the colors of the user’s integrated development environment (IDE) may execute code and read or write files without any visibility or explicit authorization from the user. The researchers have also published research evidencing the security flaws highlighted in the open letter.
“30 minutes. 30 minutes is how long it took us to develop, publish, and polish a Visual Studio Code (The most popular IDE on the planet with over 15m monthly users) extension that changes your IDE’s colors while leaking all your source code to a remote server. We wrote the code, designed the assets, registered a domain, published the extension, generated fake reviews, got our first victim…and confirmed to be installed inside multiple multi-billion dollar market cap companies within 30 minutes of work,” said the researchers.
Microsoft knew about the flaws since 2018
The research group (Landa’s chief technology officer Amit Assaraf, AppTotal founder Itay Kruk, and Zscaler security researcher Idan Dardikman) also claims that Microsoft has known about this glaring flaw for five years but has failed to address it effectively.
“Amazingly, there has been an open GitHub feature request from 2018 requesting a permission model, and it has yet to be addressed by Microsoft,” said the researchers.
Another concern highlighted is that threat actors can potentially remain invisible to their victims, as extensions, by default, automatically update quietly to the latest version behind the scenes. This means anyone can initially publish a legitimate extension, gain traction, and then introduce malicious code.
The open letter concludes: “Dear Microsoft, You created an amazing product, one used and adored by millions of developers. Those developers trusted you to design a safe product. I hope the security design flaws mentioned in this blog post will be fixed in the coming months.”
