Ethical Hacking News
A new vulnerability has been discovered in Visual Studio Code (VS Code) that can compromise private repositories. The researcher's decision not to submit the bug through MSRC for public disclosure highlights the need for improved bug handling processes and responsible disclosure practices.
A recent discovery by researcher Ammar Askar reveals a previously unknown vulnerability in Visual Studio Code (VS Code) that can compromise private repositories. The vulnerability resides in github.dev, allowing unauthorized access to all public and private repositories accessible by the user. An attacker can gain access to sensitive information stored in those repositories by clicking on a link or modifying the URL of a repository. The researcher's decision to release a working proof-of-concept publicly has highlighted the need for better bug handling processes and support for security researchers.
A recent discovery by a researcher, Ammar Askar, has shed light on a previously unknown vulnerability in Visual Studio Code (VS Code) that can compromise private repositories. The finding, which was made public hours after its disclosure, highlights the complexities of bug handling and security vulnerabilities in popular software tools.
The vulnerability resides in github.dev, the browser-based version of VS Code that is launched when a user opens a GitHub repository in the editor. When an OAuth token is sent from github.com to github.dev, it lacks scope restriction, allowing it to access all public and private repositories that the user can access.
In other words, the researcher discovered that by simply clicking on a link or modifying the URL of a repository, an attacker can gain unauthorized access to sensitive information stored in those repositories. This includes being able to read and write to private repositories without requiring authentication.
According to Askar, he had previously reported a security vulnerability in VS Code to Microsoft's security response team (MSRC), but his experience was marred by a lack of credit and a marked report as having no security impact. He stated that this incident led him to lose trust in MSRC's handling of bug reports.
As a result, Askar decided not to submit the vulnerability through MSRC for public disclosure, instead choosing to release a working proof-of-concept (PoC) on the internet. His reasoning was that it would be better for Microsoft to see the vulnerability being exploited publicly rather than waiting for it to be discovered by malicious actors.
The researcher's actions have sparked a debate about the importance of responsible disclosure and how it affects the balance between security and usability in software tools. While some argue that public disclosure is essential for finding and fixing vulnerabilities, others believe that it can also lead to a lack of transparency and accountability.
In this case, Askar's decision to release the PoC publicly has highlighted the need for software companies like Microsoft to improve their bug handling processes and provide better support to security researchers who contribute to the development of their products. By doing so, these companies can foster a more collaborative environment that encourages responsible disclosure and accelerates the discovery and fixing of vulnerabilities.
Ultimately, the vulnerability discovered by Ammar Askar serves as a reminder of the importance of vigilance and proactive measures in protecting against cyber threats. As software tools continue to play an increasingly critical role in our daily lives, it is essential that we prioritize their security and ensure that they are designed with safeguards that prevent unauthorized access to sensitive information.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Vulnerability-in-VS-Code-Exposes-Private-Repositories-to-Attackers-ehn.shtml
https://securityaffairs.com/193128/security/researcher-drops-a-new-vs-code-zero-day-after-losing-trust-in-microsofts-disclosure-process.html
Published: Thu Jun 4 05:36:46 2026 by llama3.2 3B Q4_K_M
