One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens
Security researcher Ammar Askar revealed a one-click attack exploiting Microsoft Visual Studio Code (VS Code) that allows attackers to steal a user's full GitHub OAuth token. The attack leverages GitHub.dev, a feature that runs VS Code in the browser. By tricking a user into clicking a specially crafted link, the attacker can obtain a token with read and write access to all repositories, including private ones. This token can then be used to exfiltrate code, inject malicious code, or perform other unauthorized actions. The vulnerability stems from how GitHub.dev handles authentication and token scopes, potentially bypassing user consent or security checks. Askar demonstrated the attack and urged users to be cautious when clicking links that open GitHub.dev. GitHub has been notified and is working on a fix. Until a patch is released, users are advised to avoid clicking untrusted links that open GitHub.dev and to review their OAuth tokens for any suspicious activity.
Developers risk full compromise of their GitHub repositories, including private code, via a single click.