Weaknesses in the extension verification processes of IDEs like Visual Studio Code can allow attackers to execute malicious code on developer machines. Researchers found that flaws let verified extensions be altered while keeping the verification icon, misleading developers into trusting them. Attackers can create malicious extensions mimicking verified ones, bypassing security checks and hiding dangerous scripts. This situation highlights the risk of extension sideloading abuse, which can compromise sensitive developer environments with remote code execution capabilities. Proof-of-concept demonstrations showcase how such malicious extensions can execute commands on Windows machines, underscoring their potential threat.
We discovered that flawed verification checks in Visual Studio Code allow publishers to add functionality to extensions while maintaining the verified icon, resulting in potential for malicious extensions to appear verified.
The exploitation method essentially involves creating a malicious extension with the same verifiable values as an already verified extension, allowing rogue extensions to appear verified to unsuspecting developers.
Collection
[
|
...
]