1-Click GitHub Token Stealing via a VSCode Bug
9.7 relevance
Score Breakdown
technical depth 9
novelty 9
actionability 8
community 9
strategic 8
personal 9
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
Critical VSCode bug enabling token theft is essential security knowledge for developers.
Summary
A VSCode bug in webview postMessage handling enables 1-click theft of GitHub OAuth tokens with full read/write access to all user repositories, including private ones. The attack targets github.dev's browser-based VSCode, which receives a powerful, unscoped token via POST. By crafting malicious markdown or Jupyter output that sends a crafted postMessage to the webview, an attacker can bypass VSCode's cross-origin iframe sandbox and exfiltrate the token.