VSCode Marketplace, the repository for Visual Studio Code (VSC) extensions, has poor security defenses, allowing threat actors to abuse it and distribute malicious code among its millions of users, experts have warned.
A report from AquaSec tested the platform and concluded it was being misused to distribute malware (opens in a new tab) very easy.
Additionally, the researchers claim they are not the first to discover these vulnerabilities — some threat actors are already active.
spoof important details
in a blog post (opens in a new tab)AquaSec’s team outlined how it attempted to upload a malicious version of a wrong-domain name for a popular extension with 27 million downloads.
It realizes that malware doesn’t even need to be Phishing – the platform has a feature called “displayName” that allows authors to name their extensions whatever they like – and the names don’t need to be unique. So they named it exactly like the legal one.
Then, they realize that they too can use the same logos and descriptions as legitimate items.
Also, the details, although pulled from GitHub, can be edited later. This means attackers can easily fake item details and present the malware as a legitimate tool with a long history of development. The only thing that can’t be cheated is the download volume and search ranking.
“However, over time, more and more unsuspecting users will download our fake extension. As these numbers grow, the extension will gain credibility,” AquaSec said. “Furthermore, since there are various services available for purchase on the darknet, very determined attackers may be able to manipulate these numbers by purchasing services to increase downloads and star ratings.”
AquaSec also looked at the verification badges on the VSCode Marketplace and concluded that the feature is pointless, since anything published using a purchased domain will get one, regardless of that domain’s relevance to the software project.
While the researchers only conducted a proof-of-concept, they also found actual malicious code lurking in the store. They are named “API Generator Plugin” and “Code Tester”.
Visual Studio Code, Microsoft’s source code editor, is used by around 70% of professional software developers worldwide, according to Beep computer. These extensions can be used to install other programs in the VSCode IDE, steal the source code, or otherwise tamper with it.
pass: Beep computer (opens in a new tab)