2021-11-20, 14:00–14:50, Hackfest - Track 1
Attackers have looked all around for means to compromise organizations through developers: malicious 3rd party packages, leaked credentials, unpatched vulnerabilities, and more. But the place that has become the new threat laid under their nose: the IDE.
Supply-chain incidents are constantly on the rise as the level of sophistication and severity of attacks seem to rise with each new case. Notable examples are Dependency Confusion where a researcher was able to hack into leading companies by tricking popular package managers to resolve private dependencies as public, the CodeCov breach and of course SolarWinds which by this point needs no introduction. All of these attacks take advantage of weaknesses along the SDLC. But what if there’s a novel vector that allows issuing these types of attacks?
It turns out that the IDE, the place where developers spend most of their time, can be used to carry out supply chain attacks by leveraging plugin add-ons. We’ve focused on Visual Studio Code - currently the most popular IDE adopted by more than 14M developers and with a marketplace of more than 25k extensions. Some of the extensions spin up internal web servers, often at a fixed port, to serve and render files in a browser instance within the IDE. We’ve discovered that these local servers contain vulnerabilities that can allow an attacker to upload arbitrary files, steal sensitive data and in some cases even execute code. As developer’s machines often contain source code and access tokens to build and deployment systems, this can have devastating consequences on an organization.
In our presentation we’re going to talk about the following points: 1. An intro to the world of supply-chain security concerns 2. Structure of VS Code extensions 3. Case studies of vulnerable extensions: LaTeX Workshop - Command Injection vulnerability , Instant Markdown - XSS & Path Traversal vulnerabilities and Open In Default Browser - Path Traversal vulnerability 4. Perform a live demo 5. Fixes and Mitigations
A detailed research blog with a technical dive into our findings can be found here (https://snyk.io/blog/visual-studio-code-extension-security-vulnerabilities-deep-dive/).