There has been a bit of a stir in the developer community regarding some of the code processing securities concerning the Open VSX registry. So what this means, in reality, is that it is open-source platform to publish and consume extensions for Visual Studio Code. Well, they had some access tokens leak out which allowed the tokens to publish bad or malicious extensions into the registry. Whoa!
Let's dive into what happened and why it has possible implications for anyone who uses code editors or builds extensions with our code.
Fortunately, the Open VSX team noticed this and promptly rotated (changed) access tokens for all users.
In addition, they disabled malicious extensions and checked to see if the access tokens had been used elsewhere. Quite a quick and serious cleanup.
• There are thousands of developers using these extensions daily.
• Some of the extensions auto-update and even if the user did not know as the malware spreads meeting little detection.
• This incident occurred from an organization, named GlassWorm, that attacks developer tools.
A supply chain attack happens when the hacker manipulates an exploited tool, rather than attacking the trusted system of the user themselves. Of course, this can be more dangerous.
• They shortened a token's expiration time so that if a token was leaked, it would expire very soon.
• They modified the format of new tokens to all start with "ovsxp_," making them easier to locate during code scans.
• They implemented automated checks for secret keys, or irregular code in extensions, prior to publishing.
• They even partnered safety standards with other code marketplaces about sharing alerts of possible problems to prevent a similar attack.
Let's dive into what happened and why it has possible implications for anyone who uses code editors or builds extensions with our code.
What Occurred
Developers who publish their extensions through Open VSX utilize an access token, which is essentially a variation of a secret key, to release their deployment software updates. Some of these access tokens were inadvertently posted in a public code repository. Because that's what hackers do, they observed the access tokens and were able to use them to publish malicious or fake extensions that appear, at first glance, to be benign.Fortunately, the Open VSX team noticed this and promptly rotated (changed) access tokens for all users.
In addition, they disabled malicious extensions and checked to see if the access tokens had been used elsewhere. Quite a quick and serious cleanup.
Why it Is Important
Consider that you think, "Who cares, just a couple of tokens leaked?" This is where it gets scary:• There are thousands of developers using these extensions daily.
• Some of the extensions auto-update and even if the user did not know as the malware spreads meeting little detection.
• This incident occurred from an organization, named GlassWorm, that attacks developer tools.
A supply chain attack happens when the hacker manipulates an exploited tool, rather than attacking the trusted system of the user themselves. Of course, this can be more dangerous.
How Open VSX Fixed It
The Open VSX team implemented a few measures to ensure that it doesn't happen again:• They shortened a token's expiration time so that if a token was leaked, it would expire very soon.
• They modified the format of new tokens to all start with "ovsxp_," making them easier to locate during code scans.
• They implemented automated checks for secret keys, or irregular code in extensions, prior to publishing.
• They even partnered safety standards with other code marketplaces about sharing alerts of possible problems to prevent a similar attack.
