Microsoft’s Visual Studio Code (VSCode) extensions marketplace is plagued with malicious uploads and a lack of security controls, a group of researchers said in an open letter published on Medium.
The June 3 letter is the third part of a six-part blog series by a group that comprises Landa CTO Amit Assaraf, AppTotal Founder Itay Kruk and Zscaler Security Researcher Idan Dardikman, who conducted an experiment last month in which they “hacked” more than 100 organizations, including several multi-billion dollar companies, with a typosquatted version of a popular VSCode extension.
“During our research on the marketplace we found an incredible number of security design flaws implemented by Microsoft that provide amazing ways for threat actors to gain credibility and access,” the group wrote in their June 4 blog.
Visual Code Studio is the most widely used integrated development environment (IDE) with more than 15 million monthly users, and the VSCode Marketplace gets more than 4.5 million views for months, offering a range of extensions such as color themes and code beautifiers. The marketplace hosts about 60,000 extensions from about 45,000 publishers, and the average developer uses about 40 IDE extensions, the group estimated.
Malicious VSCode extensions quickly gain traction
In their first blog, the group presented an experiment they conducted in which they created a typosquatted copycat of the popular Dracula Theme extension, which they called Darcula Official.
Along with the legitimate Dracula source code, the researchers included code that sent whatever code the victim was working on to their own server, along with information about the victim’s machine such as hostname, domain, platform, and the number of extensions they had installed.
The Darcula extension took 30 minutes to create, the researchers reported, and had its first install within a few minutes. The researchers also quickly gained credibility for their fake extension by registering the domain “darculatheme.com” and tying it to their VSCode Studio account to become a “verified publisher” with a blue checkmark next to their listing. Within days, Darcula Official was featured on the front page of the marketplace as a “Trending” extension and had more than 100 installs.
The researchers revealed that organizations that installed their potentially dangerous extension included more than 10 multi-billion dollar companies, including one publicly listed company with a $483 billion market cap, as well as a major cybersecurity company and a national justice court network.
The group made responsible disclosures to these victims, in addition to a disclosure included in the license of the extension, which stated, “This is a fork of the Dracula Theme created for research purposes” and noted that the extension collected certain data and demonstrates code execution.
Researchers find nearly 1,300 malicious VSCode extensions with 229M total installs
Following their experiment, the analysts conducted further research into the VSCode marketplace ecosystem and discovered a number of concerning practices and potentially dangerous extensions, including 1,283 with known malicious dependencies that had a collective 229 million installations.
Additionally, they found 8,161 extensions that communicate with a hardcoded IP address, 1,452 that run unknown executable binary or DLL on the host machine, 145 flagged as malicious with high confidence by VirusTotal, and 87 that attempt to read the /etc/passwd database on the host machine.
In addition to the low bar for becoming a verified publisher, which only required linking a DNS-verified domain to one’s publisher account, the researchers discovered the ability to easily copy legitimate extensions by linking that extension’s GitHub repository to the copycat, which does not require any proof that the repo belonged to the publisher. The group found 2,304 extensions using a different publisher’s GitHub repo as their extension’s “official” repo.
Further issues discovered during the experiment included the ability to inflate installation numbers using a Docker file set to run on a loop and the ability to generate fake positive reviews for an extension.
Microsoft too lax on VSCode extension permissions, researchers say
One of the main issues addressed in the open letter to Microsoft is the lack of a permission model for VSCode extensions, which enables extensions to perform any API action including read and writing files and executing code without explicit user authorization.
“Unlike similar cases like Chrome Extensions or Gmail Add-ins, VSCode extensions have zero limitations on what they can do on the host. They can spawn child processes, they can execute system calls, they can important any NodeJS package they’d like, making them highly risky,” the analysts wrote.
Endpoint detection and response (EDR) tools are unlikely to protect systems from malicious VSCode extensions due to the high trust given to VSCode. As an IDE, VSCode is expected to perform activities such as reading and writing files and executing code, and EDRs may not be capable of distinguishing between legitimate use of VSCode by a developer versus activity coming from a malicious extension, the authors wrote.
Additionally, because VSCode extensions are quietly, automatically updated by default, a malicious publisher can conduct a covert supply chain attack by gaining traction with a legitimate extension before later slipping in malicious code, not unlike what occurred with xz utils earlier this year.
“Dear Microsoft, You created an amazing product, one used and adored by millions of developers, but those developers put their trust in you to design a safe product. I can only hope that the security design flaws mentioned in this blog post will be fixed in the coming months,” the researchers wrote in the conclusion of their letter.
Assaraf, Kruk and Dardikman said they plan to release a free tool called ExtensionTotal in the near future that will help developers detect potential risks in the VSCode Marketplace.
