Security News > 2021 > January > Here's how a researcher broke into Microsoft VS Code's GitHub

Here's how a researcher broke into Microsoft VS Code's GitHub
2021-01-27 10:05

This month a researcher has disclosed how he broke into the official GitHub repository of Microsoft Visual Studio Code.

While riding a train, researcher RyotaK discovered a vulnerability in the VS Code's Continuous Integration script that let him break into Microsoft VS Code's official GitHub repository and commit files.

"I was too bored while I was on the train, so I decided to read the VS Code code. After a while, I noticed that VS Code has a separate repository for CI scripts named vscode-github-triage-actions. So I decided to read it," RyotaK told BleepingComputer.

The researcher browsed through the GitHub Actions code files for the project to get an understanding of the Continuous Integration and Continuous Delivery workflow.

Further, the researcher obtained the GitHub authorization token for VS Code repository that would give him write access to the repository.

In this case, the ethical hacker RyotaK discovered and responsibly reported the flaw to Microsoft before advanced threat actors could exploit it, to push their malicious code upstream into the Visual Studio Code repository.


News URL

https://www.bleepingcomputer.com/news/security/heres-how-a-researcher-broke-into-microsoft-vs-codes-github/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 704 780 4540 4592 3624 13536
Github 12 3 42 30 15 90