Full Disclosure: 1-Click GitHub Token Stealing via a VSCode Bug
8.4 relevance
Score Breakdown
technical depth 8
novelty 9
actionability 9
community 8
strategic 7
personal 9
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
Critical security vulnerability in VSCode/GitHub, highly actionable and relevant.
Summary
A critical VSCode bug in github.dev's webview security model enables attackers to steal a GitHub OAuth token with full repo access via a single click. The token, POSTed from github.com to github.dev for browser-based editing, is not scoped to a single repository. The exploit leverages VSCode's postMessage-based cross-origin communication between the main window and webview iframes, allowing an attacker's page to exfiltrate the token.