Thomas Chauchefoin & Paul Gerste
You click, you lose: a practical look at VSCode's security
#1about 5 minutes
Why developers are a prime target for attackers
Opening a seemingly harmless project in VS Code can lead to arbitrary code execution because developers have privileged access to systems and code.
#2about 6 minutes
Understanding the architecture of VS Code
VS Code is built on Electron and separates its components into privileged Node.js processes and less-privileged renderer processes for the UI.
#3about 2 minutes
Risks of exposed network services in extensions
Some VS Code components and extensions expose web servers or debuggers on the local network, creating attack vectors for websites or local network actors.
#4about 5 minutes
Exploiting protocol handlers for code execution
The custom `vscode://` protocol handler can be abused through argument injection in built-in extensions like Git, allowing a malicious link to execute arbitrary commands.
#5about 6 minutes
Bypassing workspace trust with malicious configurations
While Workspace Trust aims to prevent attacks from project-specific settings, vulnerabilities in extensions that run in untrusted mode, like the Git extension, can still lead to code execution.
#6about 4 minutes
Escalating cross-site scripting to code execution
Cross-site scripting (XSS) vulnerabilities in components like the Markdown preview can be escalated to full remote code execution by sending messages to the privileged workbench UI.
#7about 2 minutes
Key takeaways on IDE and developer tool security
Security for developer tools is often an afterthought, and features like Workspace Trust are essential for establishing clear security boundaries against attacks.
Related jobs
Jobs that call for the skills explored in this talk.
Matching moments
01:20 MIN
When attackers target the developer's own tools
Stranger Danger: Your Java Attack Surface Just Got Bigger
05:03 MIN
Why VS Code extensions are a prime target
Vue3 practical development
05:03 MIN
Why VS Code extensions are a major attack surface
Vulnerable VS Code extensions are now at your front door
03:16 MIN
Securing developer access and development tools
Securing your application software supply-chain
03:17 MIN
Exploring specific web vulnerabilities and filtering issues
WeAreDevelopers LIVE - Chrome for Sale? Comet - the upcoming perplexity browser Stealing and leaking
04:42 MIN
Remote code execution in the LaTeX Workshop extension
Vulnerable VS Code extensions are now at your front door
08:03 MIN
Context-blind vulnerabilities from IDE coding assistants
Can Machines Dream of Secure Code? Emerging AI Security Risks in LLM-driven Developer Tools
03:27 MIN
Common security failures beyond individual coding errors
Maturity assessment for technicians or how I learned to love OWASP SAMM
Featured Partners
Related Videos
44:11Vulnerable VS Code extensions are now at your front door
Raul Onitza-Klugman & Kirill Efimov
27:10Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
Sonya Moisset
29:50Real-World Security for Busy Developers
Kevin Lewis
28:41101 Typical Security Pitfalls
Alexander Pirker
44:11Vue3 practical development
Mikhail Kuznetcov
1:58:48Software Security 101: Secure Coding Basics
Thomas Konrad
25:28How GitHub secures open source
Joseph Katsioloudes
23:34Secure Code Superstars: Empowering Developers and Surpassing Security Challenges Together
Stefania Chaplin
Related Articles
View all articles
.png?w=240&auto=compress,format)
From learning to earning
Jobs that call for the skills explored in this talk.
Speech Processing Solutions
Vienna, Austria
Intermediate
CSS
HTML
JavaScript
TypeScript
SYSKRON GmbH
Regensburg, Germany
Intermediate
Senior
.NET
Python
Kubernetes
doinstruct Software GmbH
Berlin, Germany
Senior
GIT
JavaScript
TypeScript
immocloud GmbH
Düsseldorf, Germany
Senior
Java
Vue.js
JavaScript
TypeScript
Lotum media GmbH
Bad Nauheim, Germany
Senior
Node.js
JavaScript
TypeScript
autoiXpert GmbH & Co. KG
Stuttgart, Germany
Senior
Node.js
Angular
MongoDB
TypeScript