The VSCode Marketplace is pretty easy to hack with malicious extensions

VSCode Marketplace, a repository for Visual Studio Code (VSC) externsions, has poor security defenses, allowing threat actors to abuse it a...

VSCode Marketplace, a repository for Visual Studio Code (VSC) externsions, has poor security defenses, allowing threat actors to abuse it and distribute malicious code among the millions of its users, experts have warned.

A report from AquaSec tested the platform and concluded that abusing it to distribute malware was ridiculously easy. 

Furthermore, the researchers claim they weren’t the first to spot the flaws - some threat actors were already active. 

Spoofing important details

In a blog post, AquaSec's team outlined how it tried to upload a typosquatted, malicious version of a popular extension with 27 million downloads. 

It realized that the malware needed not even be typosquatted -  the platform has a feature called ‘displayName’ allowing the authors to name their extensions however they like - the name does not need to be unique. So, they named it exactly the same as the legitimate one.

Then, they realized that they could also use the same logo and description as the legitimate project.

Also, the details, while they get pulled from GitHub, can later be edited. That means that the attackers can easily spoof the project details and present the malware as a legitimate tool with a long development history. The only thing that couldn’t be spoofed was the number of downloads and the search ranking. 

"However, over time an increasing pool of unknowing users will have downloaded our faux extension. As these figures grow, the extension will gain credibility," AquaSec said. "Additionally, since in the dark web it is possible to purchase various services, an extremely determined attacker could potentially manipulate these numbers by buying services which would inflate the number of downloads and stars."

AquaSec also looked at the verification badge on VSCode Marketplace and concluded that the feature is meaningless, as any published with a purchased domain gets one, regardless of the relevance of the domain to the software project.

While the researchers only made a proof-of-concept, they also found actual malicious code lurking in the store. These are named “API Generator Plugin” and “code tester”.

Visual Studio Code is Microsoft’s source-code editor, used by some 70% of professional software developers worldwide, according to BleepingComputer. The extensions can be used to install additional programs, steal source code, or tamper with it in other ways in the VSCode IDE.

Via: BleepingComputer



from TechRadar - All the latest technology news https://ift.tt/NnBxFGR
via IFTTT

COMMENTS

BLOGGER
Name

Apps,3858,Business,151,Camera,1155,Earn $$$,3,Gadgets,1741,Games,926,GTA,1,Innovations,3,Mobile,1697,Paid Promotions,5,Promotions,5,Sports,1,Technology,8106,Trailers,796,Travel,37,Trending,4,Trendly News,25335,TrendlyNews,183,Video,5,XIAOMI,13,YouTube - 9to5Google,182,
ltr
item
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews: The VSCode Marketplace is pretty easy to hack with malicious extensions
The VSCode Marketplace is pretty easy to hack with malicious extensions
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews
http://www.trendlynews.in/2023/01/the-vscode-marketplace-is-pretty-easy.html
http://www.trendlynews.in/
http://www.trendlynews.in/
http://www.trendlynews.in/2023/01/the-vscode-marketplace-is-pretty-easy.html
true
3372890392287038985
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy