A group of Israeli researchers recently demonstrated the ease of publishing a malicious VSCode extension, completing the process in just 30 minutes. Remarkably, the extension quickly trended and received over 100 downloads within 24 hours, underscoring a significant security gap in the platform.
Extension Vulnerabilities Exposed
The researchers' experiment revealed that over 1,280 extensions contained malicious dependencies, with a total of 229 million installations. Furthermore, 87 extensions attempted to access the `/etc/passwd` file on the host system.
Amit Assaraf, co-founder of the real estate investing app Landa and one of the researchers, stated, "VSCode extensions operate like standalone applications without any restrictions, unlike Google Chrome extensions."
"This unrestricted access allows extensions to execute various system operations, including running child processes and importing any NodeJS package," Assaraf explained.
The experiment, conducted by Assaraf, Itay Kruk, and Idan Dardikman, also discovered that 2,304 extensions listed other publishers' GitHub repositories as their official sources, making it difficult to verify the integrity of the extension code.
A critical flaw in VSCode is that extensions are not sandboxed. While there is an option to sandbox code, it doesn't apply to extensions. This lack of sandboxing means extensions can access and execute any operation on the host machine without user awareness.
Additionally, VSCode lacks a permission management system similar to those on smartphones, which inform users about what an extension is accessing. Consequently, an extension designed for a simple task, like changing the IDE's colors, could potentially read or write files without explicit user consent.
Automatic Updates Pose Risks
VSCode extensions automatically update to the latest version without user intervention. This feature means a developer could initially publish a harmless extension and later introduce malicious code through an update, as seen with the xz utility, which was safe for years before a backdoor was found.
Inexpensive Verification Process
To verify an extension, authors must prove domain ownership, typically costing around $5, which adds a verification badge next to their name. Isidor Nikolic, a senior product manager at Microsoft, explains that this verification process is designed to establish the author's credibility.
However, critics argue that the verification badge is misleading. A GitHub user pointed out that it only confirms domain ownership, not the safety of the extension. The manual verification steps are not robust enough to prevent misuse, allowing publishers to change their names post-verification to mimic legitimate extensions.
Assaraf noted, "Microsoft prioritizes having a large number of extensions in their marketplace over security."
Recommendations for Developers
Vignesh Rajan, a lead engineer at GenAI startup MachineHack, advised developers to use as few extensions as possible and thoroughly research their credibility before installation.
VSCode, designed as a lightweight, extension-based platform, relies heavily on extensions to enhance functionality. However, these findings highlight the need for improved security measures within its ecosystem. Developers might also consider using closed-source IDEs like IntelliJ for better reliability and security in larger projects.
Since its source code release under the MIT License in 2015, VSCode has become immensely popular, but this popularity brings attention to its potential vulnerabilities.
.jpeg)
.jpeg)
