BleepingComputer reports that malicious extensions could facilitate the theft of Windows, macOS, and Linux credential manager-stored authentication tokens using a vulnerability in the Microsoft Visual Studio Code editor and development environment.
Cycode researchers have leveraged the flaw, which stems from the absence of authentication token isolation in VS Code's "Secret Storage" API, to develop an extension enabling the theft of CircleCI tokens before creating a more sophisticated technique that allowed token theft without extension code tampering.
"We developed a proof-of-concept malicious extension that successfully retrieved tokens not only from other extensions but also from VS Code's built-in login and sync functionality for GitHub and Microsoft accounts, presenting a 'Token Stealing attack,'" said Cycode.
Microsoft has been notified about the VS Code security flaw and the developed PoC two months ago but has not deemed the issue to require a fix and instead chose to maintain the current Secret Storage framework.