Vulnerable VS Code extensions are now at your front door

Could your favorite VS Code extension be stealing your SSH keys? This talk reveals how a single flaw can lead to total system compromise.

#1about 5 minutes

The expanding role of developers in security

Digital transformation has shifted infrastructure and security responsibilities to developers, increasing their value as an attack target.

#2about 3 minutes

Integrating security earlier in the development lifecycle

Security testing has shifted left to integrate with agile development, making developers responsible for triaging issues like transitive dependency vulnerabilities.

#3about 6 minutes

Common attacks targeting software developers

Attackers compromise developers through methods like dependency confusion, unpatched vulnerabilities, and malicious packages to initiate supply chain attacks.

#4about 5 minutes

Why VS Code extensions are a major attack surface

VS Code's massive popularity and its extensive, under-researched extension marketplace make it a prime target for compromising developers.

#5about 2 minutes

Building a pipeline to analyze VS Code extensions

A processing pipeline was built to download all marketplace extensions, extract their source, and run static and dynamic analysis to find vulnerabilities.

#6about 5 minutes

Exploiting path traversal in the Instant Markdown extension

The Instant Markdown extension runs a local web server with a path traversal vulnerability, allowing an attacker to access arbitrary files on the user's machine.

#7about 8 minutes

Bypassing browser security to attack local servers

A malicious website can exploit a local server by using an XSS vulnerability to bypass CORS and exfiltrate data from the victim's machine.

#8about 3 minutes

Demo: Stealing SSH keys via a vulnerable extension

This demonstration shows how visiting a malicious link triggers an exploit chain that steals a local SSH key through the vulnerable Instant Markdown extension.

#9about 5 minutes

Remote code execution in the LaTeX Workshop extension

The LaTeX Workshop extension was vulnerable to remote code execution through a WebSocket connection that could trigger a VS Code API to open local applications.

#10about 3 minutes

Impact, disclosure, and mitigation strategies

Vulnerable extensions can lead to full supply chain attacks, but responsible disclosure led to quick fixes, and developers can mitigate risk through extension hygiene.