The VSCode Marketplace is pretty easy to hack with malicious extensions
>
VSCode Marketplace, a repository for Visual Studio Code (VSC) third parties, has poor security, allowing attackers to exploit it and distribute malicious code to its millions of users, experts warn.
A report from AquaSec tested the platform and concluded that it was misused to distribute malware (opens in new tab) was ridiculously easy.
In addition, the researchers claim that they were not the first to discover the flaws – some threat actors were already active.
Falsifying important details
In a blog post (opens in new tab)AquaSec’s team outlined how it attempted to upload a typosquatted, malicious version of a popular extension with 27 million downloads.
It realized that the malware didn’t even need to be typed – the platform has a feature called ‘displayName’ that allows the authors to name their extensions whatever they want – the name doesn’t have to be unique. So they named it exactly the same as the legitimate one.
Then they realized they could also use the same logo and description as the legitimate project.
Also, while the details are pulled from GitHub, they can be edited later. That means the attackers can easily spoof the project details and present the malware as a legitimate tool with a long development history. The only thing that could not be faked was the number of downloads and the search ranking.
“Over time, however, an increasing number of unknowing users will have downloaded our fake extension. As these numbers grow, the extension will gain credibility,” said AquaSec. “Furthermore, since it is possible to purchase various services on the dark web, a highly determined attacker could potentially manipulate these numbers by purchasing services that would inflate the number of downloads and stars.”
AquaSec also looked at the verification badge on VSCode Marketplace and concluded that the feature is pointless, as every published with a purchased domain gets one, regardless of the domain’s relevance to the software project.
While the researchers only created a proof-of-concept, they also found real malicious code lurking in the store. These are called “API Generator Plugin” and “Code Tester”.
Visual Studio Code is Microsoft’s source code editor, according to about 70% of professional software developers worldwide Beeping computer. The extensions can be used to install additional programs, steal source code, or otherwise tamper with it in the VSCode IDE.
Through: Beeping computer (opens in new tab)