This site may contain outdated or incomplete information.
Misconfigured Dev and QA tool compromised
From the original article [1]:
This month a researcher has disclosed how he broke into the official GitHub repository of Microsoft Visual Studio Code.
A vulnerability in VS Code’s issue management function and a lack of authentication checks enabled the researcher to obtain push access, and write to the repository.
Impact
From the original article [1]:
By injecting his basic PoC exploit into the VS Code’s CI script which ran around midnight, the researcher obtained a reverse shell.
Further, the researcher obtained the GitHub authorization token for VS Code repository that would give him write access to the repository.
Eventually, after obtaining the token, the researcher posted a PoC commit to the repository
Type of compromise
Dev tooling: “obtain push access, and write to the repository.” Source code repositories are considered part of the developer tooling.
References.
- “Here’s how a researcher broke into Microsoft VS Code’s GitHub”, Ax Sharma,
<https://www.bleepingcomputer.com/news/security/heres-how-a-researcher-broke-into-microsoft-vs-codes-github/>
, last accessed 2021-02-02.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.