Full Disclosure: 1-Click GitHub Token Stealing via a VSCode Bug
69 points by ammar2
69 points by ammar2
MSRC seems to have ruffled a lot of feathers recently.
Indeed, I actually wasn't caught up on most of that discourse though. If you read the linked post in "Why Full Disclosure" section, around 3 years ago they were pretty horrible on another VSCode bug so I said then I would go with public disclosure for them going forward.
Disclosure practices have been broken for a while, but the scale has been tipped a few times more this year. Specifically on the sheer scale of bugs being found lately.
This article is a breath of fresh air. It's nice to see clear impact and mitigation steps, which security people seem to skip these days for higher engagement/virality.
I mean they're not always the best people to suggest mitigations. I don't want to call it the "wildest shit" I have seen recommended after pen tests and audits, but certainly 'questionable'.
Luckily it's usually helpful, even if just as an example. Also I don't blame them, unless it's frontend with code available it's often a bit of guesswork.
Nice find. It's clearly "out of scope" according to the hilarity of MSRC scope declarations, so it's a good full disclosure candidate. MS making an ass of themselves recently is the most recent of a grand series of MS being utterly inconsiderate of researchers.
The disclosures must continue until code quality and responsibility improves.
Why would it be out of scope? They should have reported it directly to GitHub H1 program instead of MSRC. And specially instead of holding a grudge against MSRC for three years. What a dumb way to torpedo your reputation in anger. Probably also could have gotten a decent bounty .. GitHub paid out 200K the past three months. They have a well run security program.
There is a section which documents that logic: https://blog.ammaraskar.com/github-token-stealing/#why-full-disclosure
Otherwise, I find it somewhat comical to suggest that he's "torpedo[ing] his reputation", and I do not see this post as out of anger, but of valid protest. You can lose respect for him if you wish, mine remains undiminished.
Thank you Addison! I really appreciate that.
And as a non-sequitur, thank you for maintaining LibAFL. We used it to power a Java fuzzer during AIxCC and it was so easy to integrate https://team-atlanta.github.io/blog/post-crs-java-libafl-jazzer/
Also adding context here since you made a similar comment on the orange website:
For the record here's my HackerOne profile https://hackerone.com/ammar2/hacktivity?type=user
That 2023 bug was initially reported to GitHub's HackerOne program and they explicitly told me it was out of scope for them and to take it to MSRC:
We have reviewed the report and determined that the vulnerabilities is in VS code and the fix will be implemented by Microsoft. As a result, it is not eligible for reward under the Bug Bounty program. Please follow-up with Microsoft via the report you submitted.
There was also an additional bug that allowed an attacker to exfiltrate private repo contents with a github.dev link that MSRC also marked as not having security impact.
I absolutely loved working with GitHub folks on the GitHub bug bounty program, they're responsive, go into technical details with you and are awesome to deal with. MSRC is like the polar opposite of that.
Hey you be you. But as someone on the defensive side I can tell you that it is getting really difficult to handle incidents when responsible disclosure goes to hell. And this just sets the tone even more that it is a yolo world now. Is that really where we want to end up?
When I read your posting and specially "An hour before posting I gave a heads up to an old contact at GitHub security that I would be disclosing this bug" it feels malicious and bragging and simply not in good faith.
It feels more like revenge. "Ha ha y'all deserve that". Well maybe Microsoft did, but what you also cause is thousands of teams around the world spinning up their incident process to figure out what the heck has happened now.
We're all exhausted already and these kind of reports just don't help to make the situation better.
You could have tried to submit it to GitHub H1 because as your profile shows you have a great reputation there and I have no doubt they would have taken your bug seriously and also rewarded you for it. You could have asked for disclosure and still take credit for it and do a nice blogpost.
Just sayin'
And I also mean this seriously - keep up the great work and keep finding good bugs - all contributions make things a bit safer in the end. Yeah it is weird.
Is that really where we want to end up?
No but it is in fact a two-way street. Would you prefer security researchers sit on bugs or sell them on the black market? When you take hours/days of effort that go into finding a bug and crafting it into a proof-of-concept, and the vendor silently patches it without any acknowledgement, what do you think will happen?
it feels malicious and bragging and simply not in good faith
Feel free to interpret it how you want but my thinking there was, "if this doesn't get big on the internet, I still want GitHub security to be aware so they can escalate internally as it has an outsized impact on them"
You could have tried to submit it to GitHub H1 because as your profile shows you have a great reputation there
I don't think my reputation has any bearing on what they consider in-scope for their program. They would have just punted me to MSRC again.
keep up the great work and keep finding good bugs
Thank you, I do appreciate thoughtful responses like this. You've been very good faith and I will keep the feedback in mind. I've been on the defending side as well and it is important to consider burnout there as well, especially in the face of what I assume are thousands of plausible looking reports generated by LLMs.
But as someone on the defensive side I can tell you that it is getting really difficult to handle incidents when responsible disclosure goes to hell.
I am also on the defensive side, but occasionally part of a "red team".
You're talking to the wrong party about responsible disclosure "going to hell". Github did this by declaring the researcher's last bug out of scope and sending them to MSRC, where they had a very bad experience. It's no wonder they don't want to jump through this vendor's hoops anymore. It was nice that they at least gave a personal contact there a "heads-up" so they could escalate it.
This researcher tried responsible disclosure. The vendor sent it to hell. You are a customer of that vendor. You should exert pressure on the vendor to stop sending researchers' attempts at responsible disclosure to hell. Not exert pressure on researchers to keep doing, for free, what didn't work before.
"One strike three years ago and you are out!"
You know people change. Teams change. Infosec changes. Maybe I just don't think in absolutes so much. I would be a little more forgiving and give them another chance. But that is me we're all different :-)
It was one strike against this particular researcher. They've managed a hell of a lot of strikes lately. I admire your willingness to put up with their bullshit a second time, but I don't feel like I can demand that of a researcher who's working for free.
I do feel that I can demand, of a vendor from whom I buy products and services, that they run their security program more responsibly, and respond appropriately to people who are offering them free reports.
And I very strongly feel that I, as a customer, should chew on the vendor (who I'm paying!) about that matter, not the researcher who's working for free!