VS Code Security Flaw Exposes GitHub OAuth Tokens in One Click

A critical security flaw in Microsoft Visual Studio Code (VS Code) enables attackers to steal GitHub OAuth tokens with just a single malicious click. According to researcher Ammar Askar, victims need only click a specially crafted link to expose sensitive data—including access to private repositories. The vulnerability specifically targets the GitHub.dev functionality, which operates directly within the browser.

A silent and instantaneous attack

The exploit leverages a misconfiguration in GitHub.dev’s integration with VS Code. When a user clicks a malicious link, their browser automatically sends a request to GitHub’s API, transmitting the OAuth token without any additional user interaction. This token grants full access to repositories—including private ones—and even allows malicious modifications.

Urgent measures recommended

VS Code users are advised to review their GitHub permissions and revoke any suspicious tokens via security settings. While Microsoft has not yet released an official patch, temporary mitigations include disabling GitHub.dev or using an isolated browser. This flaw underscores the critical need to monitor permissions granted to third-party development tools.

Source: The Hacker News. Editorial synthesis assisted by AI — TechnoExpress.