Thomas Chauchefoin & Paul Gerste

You click, you lose: a practical look at VSCode's security

Your IDE is a primary attack vector. See how a malicious Git config can execute code before you even respond to the trust prompt.

You click, you lose: a practical look at VSCode's security
#1about 5 minutes

Why developers are a prime target for attackers

Opening a seemingly harmless project in VS Code can lead to arbitrary code execution because developers have privileged access to systems and code.

#2about 6 minutes

Understanding the architecture of VS Code

VS Code is built on Electron and separates its components into privileged Node.js processes and less-privileged renderer processes for the UI.

#3about 2 minutes

Risks of exposed network services in extensions

Some VS Code components and extensions expose web servers or debuggers on the local network, creating attack vectors for websites or local network actors.

#4about 5 minutes

Exploiting protocol handlers for code execution

The custom `vscode://` protocol handler can be abused through argument injection in built-in extensions like Git, allowing a malicious link to execute arbitrary commands.

#5about 6 minutes

Bypassing workspace trust with malicious configurations

While Workspace Trust aims to prevent attacks from project-specific settings, vulnerabilities in extensions that run in untrusted mode, like the Git extension, can still lead to code execution.

#6about 4 minutes

Escalating cross-site scripting to code execution

Cross-site scripting (XSS) vulnerabilities in components like the Markdown preview can be escalated to full remote code execution by sending messages to the privileged workbench UI.

#7about 2 minutes

Key takeaways on IDE and developer tool security

Security for developer tools is often an afterthought, and features like Workspace Trust are essential for establishing clear security boundaries against attacks.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

When attackers target the developer's own tools
01:20 MIN

When attackers target the developer's own tools

Stranger Danger: Your Java Attack Surface Just Got Bigger

Why VS Code extensions are a prime target
05:03 MIN

Why VS Code extensions are a prime target

Vue3 practical development

Why VS Code extensions are a major attack surface
05:03 MIN

Why VS Code extensions are a major attack surface

Vulnerable VS Code extensions are now at your front door

Securing developer access and development tools
03:16 MIN

Securing developer access and development tools

Securing your application software supply-chain

Exploring specific web vulnerabilities and filtering issues
03:17 MIN

Exploring specific web vulnerabilities and filtering issues

WeAreDevelopers LIVE - Chrome for Sale? Comet - the upcoming perplexity browser Stealing and leaking

Remote code execution in the LaTeX Workshop extension
04:42 MIN

Remote code execution in the LaTeX Workshop extension

Vulnerable VS Code extensions are now at your front door

Context-blind vulnerabilities from IDE coding assistants
08:03 MIN

Context-blind vulnerabilities from IDE coding assistants

Can Machines Dream of Secure Code? Emerging AI Security Risks in LLM-driven Developer Tools

Common security failures beyond individual coding errors
03:27 MIN

Common security failures beyond individual coding errors

Maturity assessment for technicians or how I learned to love OWASP SAMM

Featured Partners

Related Videos

See all videos
Software Security 101: Secure Coding Basics
1:58:48

Software Security 101: Secure Coding Basics

Thomas Konrad

Security Pitfalls for Software Engineers
27:32

Security Pitfalls for Software Engineers

Jasmin Azemović

Cyber Security: Small, and Large!
37:32

Cyber Security: Small, and Large!

Martin Schmiedecker

You can’t hack what you can’t see
29:34

You can’t hack what you can’t see

Reto Kaeser

A Primer in Single Page Application Security (Angular, React, Vue.js)
36:39

A Primer in Single Page Application Security (Angular, React, Vue.js)

Thomas Konrad

Vulnerable VS Code extensions are now at your front door
44:11

Vulnerable VS Code extensions are now at your front door

Raul Onitza-Klugman & Kirill Efimov

Getting under the skin: The Social Engineering techniques
43:56

Getting under the skin: The Social Engineering techniques

Mauro Verderosa

Securing Your Web Application Pipeline From Intruders
44:30

Securing Your Web Application Pipeline From Intruders

Milecia McGregor

Related Articles

View all articles
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
Chris Heilmann
Dev Digest 110 - XY marks the spotty security
This time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...
Dev Digest 110 - XY marks the spotty security
Chris Heilmann
Dev Digest 131 - AI'm not sure about OSS
News and ArticlesRust and Typescript are rising stars in programming languages 2024 survey, the State of CSS 2024 survey is open and here is what's new in ECMAScript.In security news, a Microsoft update bricks Linux dual-boot systems, they patched a ...
Dev Digest 131 - AI'm not sure about OSS

From learning to earning

Jobs that call for the skills explored in this talk.