Recently, a group of Israeli researchers were able to create and publish a malicious VSCode extension in 30 minutes. Surprisingly, the extension was trending, and had 100+ downloads within the first 24 hours, shockingly exposing the vulnerability of the platform.
Built with Flaws
The experiment showcased that over 1,280 extensions had malicious dependencies packaged in them with a combined total of 229 million installations. Also, there were 87 extensions that attempted to read the /etc/passwd file on the host system.
Amit Assaraf, the co-founder of real estate investing app Landa, and one of the Israeli researchers who experimented to expose the flaw, said, “Unlike Google Chrome extensions, VSCode extensions are practically apps/executables running on your machine with zero limitations on what they can do on the host.
“This means extensions pose a threat to spawn child processes, system calls or even import any NodeJS package they’d like.”
In the experiment conducted by Assaraf and his team members Itay Kruk, and Idan Dardikman, it was found that 2,304 extensions used another publisher’s GitHub repo as their official listed repository. This means you have no way to tell if the code of your extension and the linked GitHub repository are the same.
A major flaw in the popular open-source code editor VSCode is that extensions are not sandboxed. Though there’s a provision for sandboxing code, it is not applicable for extensions.
Since extensions are not sandboxed, they can access anything inside the IDE and execute anything on the host machine without the developer receiving any feedback.
Apart from sandboxing, VSCode also lacks permission management. You will find multiple feature requests to add permission manager in VSCode, similar to what we have in our smartphones to know that is being accessed by extensions.
This way, a theme extension that is built to change colours of IDE, may execute code and read or write files without any visibility or explicit authorisation from the user.
Auto Update of Extension
VSCode extensions automatically update to the latest version behind the scenes. This means any developer can initially create an extension without any malicious intent and later update the extension where he can introduce the malicious code.
The same happened with xz utility, which was safe for years and later found to have a backdoor.
$5 to Verify VSCode Extension
Extension verification allows extension authors to verify the ownership of a domain to establish their authenticity and credibility, with the verified domain displayed alongside their name.
Isidor Nikolic, a senior product manager at Microsoft, VS Code, mentions that extension authors can become verified by checking the ownership of an eligible domain associated with your brand or identity.
Interestingly, to verify your extension, all you have to do is get a domain for your extension (which usually costs around $5) and soon you’ll receive a badge from VSCode suggesting that your extension is verified.
A GitHub user critiqued the process, calling the process for verification badge as totally useless and misleading. “The verified blue check mark merely means that whoever the publisher is has proven the ownership of a domain. And that means any domain. In reality, a publisher could buy any domain and register it to get that verified check mark,” he said.
Sure, there are manual steps involved in the verification process but these are not rock solid. You can use a different name while applying for verification and as soon as you get verified, it can be changed to look exactly like the original name of the extension.
“Security is not a high priority for Microsoft as they want as many extensions on their marketplace as possible,” the Israeli researcher also mentioned further.
Solutions to Navigate
Vignesh Rajan, a lead engineer at GenAI startup MachineHack, suggested, “You may use VSCode but with as few extensions as possible to minimise the risk. If necessary, a developer should do a thorough research on which extension is official and can be trusted before installation.”
By nature, VSCode heavily relies on extensions to enhance its functionality. It is a bare-bone IDE where developers can install extensions of their choice to get the job done.
You may also switch to closed-source IDE such as IntelliJ. A user while praising IntelliJ for Java development mentioned that “VS Code is not only unsuitable (still) for larger enterprise-level projects, it is also less reliable, responsive and stable than IntelliJ.”
On November 18, 2015, the source code of VS Code was released under the MIT License and made available on GitHub. The idea was to create a lightweight platform powered by extension and it was an instant success.
