Digital transformation has shifted infrastructure and security responsibilities to developers, increasing their value as an attack target.
Security testing has shifted left to integrate with agile development, making developers responsible for triaging issues like transitive dependency vulnerabilities.
Attackers compromise developers through methods like dependency confusion, unpatched vulnerabilities, and malicious packages to initiate supply chain attacks.
VS Code's massive popularity and its extensive, under-researched extension marketplace make it a prime target for compromising developers.
A processing pipeline was built to download all marketplace extensions, extract their source, and run static and dynamic analysis to find vulnerabilities.
The Instant Markdown extension runs a local web server with a path traversal vulnerability, allowing an attacker to access arbitrary files on the user's machine.
A malicious website can exploit a local server by using an XSS vulnerability to bypass CORS and exfiltrate data from the victim's machine.
This demonstration shows how visiting a malicious link triggers an exploit chain that steals a local SSH key through the vulnerable Instant Markdown extension.
The LaTeX Workshop extension was vulnerable to remote code execution through a WebSocket connection that could trigger a VS Code API to open local applications.
Vulnerable extensions can lead to full supply chain attacks, but responsible disclosure led to quick fixes, and developers can mitigate risk through extension hygiene.
44:11Mikhail Kuznetcov
28:41Alexander Pirker
29:47Thomas Chauchefoin & Paul Gerste
43:57Zbyszek Tenerowicz
1:40:08Nicolas Carlo
27:10Sonya Moisset
30:54Martina Kraus
29:50Kevin Lewis
.png?w=240&auto=compress,format)
Jobs that call for the skills explored in this talk.
Speech Processing Solutions
Vienna, Austria
Vesterling Consulting GmbH
Barcelona, Spain
Green Tech Valley Cluster GmbH
Excellence AG