![IntCyberDigest's tweet photo. ‼️🚨 BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs."
The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can.
Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept.
He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."](https://pbs.twimg.com/media/HJ1p_C8WwAAXovc.png)
Olivia
Online
CoolKoon
@coolkoon
🇭🇺🇸🇰🇨🇿🇺🇸 IT guy, Linux, Windows, Python, PHP, Javascript, C, bash and some electronics of course. Among others...
Joined March 2007
94 Following
237 Followers
47.2K Posts
@imatrix Nejen v USA. Pokud bych mel legalne koupenou Office 2019 licenci tak bych je udal na SOI taky.
@cljack Yes. And if you're interested in a guy belonging to the second half then you better be able to deal with the first. Nobody said that it's gonna be easy.
@smrt_a_divka Zeleni zmrdi tvrdi ze jo, dle jejich dusevni nemoci doprava je to mensi zlo.
Who to follow
Bruce
@bigbrotherbruce
designs, cooks, bakes, constantly creating
支葵▽
@shikishiki_ao
雑多‖成人済‖毎日かわいいふわ五くん‖Do NOT use/repost (無断使用/転載等禁止)‖プロカ▷https://t.co/FPscqxXdOl
blue-check certified
@MN_Sense
not interested in digital currency/not looking for a companion/only those capable of independent thought need apply
@allie__voss Yep, it also sends the signal that the only thing she might be usable for is sex, if at all.
@zapatas_mom @fixournews @allie__voss Because that's the most adequate response for a fleecing proposal like that, that's why.
Such a lovely FAFO moment for Micro$oft 🤗
‼️🚨 BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs."
The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can.
Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept.
He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."
![IntCyberDigest's tweet photo. ‼️🚨 BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs."
The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can.
Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept.
He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."](https://pbs.twimg.com/media/HJ1qOHoXEAAa6yQ.jpg)
@IntCyberDigest He did the right thing, f|_|ck Micro$oft.
@veronikaruut @Zasilkovna @Alzacz @dpd_cz @Allegro_Group "Město by mohlo reagovat na stížnosti obyvatel a řešit konkrétní problematické případy." - Presne o tohle by slo vsem zmrdum, stezovali by se na kazdy box, protoze nesnesou kdyz neco funguje dobre.
@f_kalenda Kdyz se Trump sekne, jeste i pravdu rekne...
@1ssve "Observational feedback"=source: trust me bro...
@BratBranko Mojmirovce nie su nahodou ciganskou dedinou....?
@f_kalenda Jakchce usporadat knihkupectvi krt kdyz nemaji jeste ani ty mikrofony a aktivni repraky (a maly mixazni pult na ovladani)? To predpokladaji ze se tam sejde jenom 10 lidi nebo co?
@annierubyjane Nic se nemusi, jenom umrit a platit dane. 18 leta holka po ucnaku asi nebydli sama, ze jo...
@AAdlerrrrrrrr It obviously didn't happen because of Transnistria.
@l8explorer Kdyz nekdo dostane sok z vykrvaceni tak taky je uplne vybledlej.
@signulll Probably a new dynamic price gouging algorithm or something like that...
@_promar_ Opravdu se nemuzu rozhodnout jestli tohle je jenom rage bait anebo je to doopravdy...
@randomrecruiter Every single company where HR scum has unlimited veto power over a candidate like that is doomed to crash and burn. HR that does this should be fired.
Last Seen Users on Sotwe
Anang Dewoos
Seen from Indonesia
BaWin
Seen from Vietnam
แลกคู่ สวิ้ง ชอบเย็ดสาวใหญ่ สว
Seen from Thailand
로켓마트
Seen from United Kingdom
Anita Zambrano
Seen from Turkey
DHA Karachi
Seen from Pakistan
Christopher Kanagaraj 
Seen from India
Trai VN
Seen from Thailand
Rawan
Seen from France
Robert Villeret-Richez
Seen from Saudi Arabia
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers