I would argue: the real but here is that the extension API allows for these things in the first place.
Why are extensions executed in a context where they can download arbitrary data or execute arbitrary binaries? Run the extension in a locked context that can't do these malicious actions.
It's not really a bug, but a development paradigm that is to blame.
While Open Source / Freeware has its strengths, it does have the inherent weakness of allowing everyone to share and contribute.... even the bad guys. Unfortunately we don't get to choose who gets to contribute, so bad actors, hacks, foreign agents, and con artists can trick us into providing them with backdoors and sensitive information they can exploit.
Language servers run as child processes (and they shouldn't be anything else). Any kind of git or VCS tooling needs to read and write to disk. Jailing these processes makes them useless. It's natural for editor extensions to need to read/write disk and execute child processes - that's how developer tools have worked for decades.
That's not to say there aren't problems to solve, but this reaction is nonsensical to me. If extensions couldn't do these things, extensions wouldn't be useful!
Are there prompts right now which indicate what permissions the extension will get? I think that would right away raise attention that you’re giving permissions to a lot of things. But if the reviews are faked, then it’s already probably a lost cause. Tricky situation and I think we’re starting to get more and more attacks through open-source. It’s a lot more easy access to otherwise secured companies.
Nah. Leave it up to the OS to implement capability based security/entitlements.
This has nothing to do with open source, fwiw. VS Code extensions can be black boxes that download and run arbitrary programs. On top of that, a lot of language tooling requires code to be executed to be analyzed. So if you have any kind of extension for any text editor or IDE you have these kinds of problems, and it's not the job of the editor to play security whackamole.
If you don't want to run 3rd party programs don't download and run them. It's really not that complicated. That includes extensions and plugins for your tools.
A lot of the core functionality in vscode comes from extensions running external executables e.g. everything that relies on git or LLVM
Maybe they need a permission system like browser extensions so you at least know in advance if an extension is going to run an executable instead of just applying CSS themes or whatever you thought it would do
Maybe they need a permission system like browser extensions so you at least know in advance if an extension is going to run an executable instead of just applying CSS themes or whatever you thought it would do
This. We should be getting notified of any resources extensions use. In fact, since VS Code is basically an overgrown web app, it should cordon off extensions and use a security model at least as good as the major browsers use; assuming that's anywhere near sufficient.
I think you would need a lot more system access for many extensions than browsers allow. An LSP for example needs pretty wide file-system access, and a C/C++ workflow might need to run a bunch of arbitrary binaries to do it's job.
I think what's important is giving the user informed consent over what an extension is doing, and also treating installing and using extensions as a potentially risky behavior from a UX perspective.
Currently VSCode treats extensions super casually, and it's easy for a user to download dozens of them by just clicking "yes" whenever the box pops up in the bottom corner without even thinking about it.
That's a good point, so my suggestion goes overboard.
However...:
I think what's important is giving the user informed consent over what an extension is doing, and also treating installing and using extensions as a potentially risky behavior from a UX perspective.
Exactly! If I'm using an extension like the OP's Dracula extension and I'm prompted upon install to let me know that it uses network calls, at least I can have the opportunity to put a stop to it then. Especially as developers, we know that's suspicious. Furthermore, at runtime, if I were to get a prompt from VS Code to let an extension use the network and it were to show me the network connection and payload details, I could put a stop to it then.
The nightmarish side of VS Code is that so many devs will knowingly or unknowingly run code in a sudo or Administrator context and just forget that they're doing so. Issues with permissions are common in a development experience after all. Should this happen? Nope. But it does happen because of all the different weird toolchains and admin-required install paths that are used in the wild.
It does sound we need some kind of permission model similar to browser extensions. It's not perfect (as demonstrated by Chrome Web Store malware) but it will at least (hopefully) throw up some red flags when "My Really Cool Theme" requests permission to read from your home directory.
Oh this is neat to see. A year and a half ago when I was in grad school, for my computer security class, my group's semester project was the same topic as these researchers. We investigated automated ways of finding malicious VSCode extensions from the marketplace.
We originally wanted to automatically download and run extensions in a sandbox and trace suspicious calls, but that proved too difficult to get working in the semester we had. Electron did not lend itself well to being sandboxed, and we had to switch directions halfway through the semester. Instead, we made a system that automatically scanned extension metadata and source code, much like the researchers did here.
We scanned for typosquatting, suspicious strings or binaries in the extension code, weird author/github mismatches, etc. Many of the same techniques the researches used here.
We found a surprisingly large amount of just weird crap. Stuff like extensions that weren't actually for coding but instead were advertising pirated movies.
I forget it what it's called, but there was some official way to get extensions verified/trusted/? by microsoft. We also found that a surprisingly large amount of the top ~100(?) extensions didn't use this process. Sorry for the vagueness, the details are a bit fuzzy to me, and a quick google didn't bring up what I was looking for.
So yeah, interesting to see a more rigorous study confirm what our somewhat hastily produced research project found.
I remember reading this comment a while back. I tried to find suspicious vscode extensions, mainly through their descriptions and to no avail. The only extension I could find was: itemName=IyotBirada.Ovaltinies-Tinie which has 0 downloads. If you have any pointers, I would be greatful
ahh that sucks. if by any chance you guys scrapped the marketplace 2 years ago and still have the dataset, I would love to it compare how far they have changed.
Actually during our research of Visual Studio Code extensions in the past few weeks we've found an alarming amount of security design flaws that deserve the security community’s attention. The lack of a permission model, automatic silent updates, and unrestricted capabilities are just a few issues that poses a direct threat to organizations who use Visual Studio Code.
thanks so much for all of your work. It seems that it would be very useful to have tooling available to the community to detect extensions with security issues, I followed you on Medium hoping that future posts will outline simple ways for developers to identify problematic extensions. Ideally, as you point out, Microsoft would provide such tools or identify security issues on the extension's page.
I don't see how this is a response to the previous poster. This doesn't really have anything to do with what they said, more like you are squatting on the top posted reply to get more people to other articles...
We found a surprisingly large amount of just weird crap. Stuff like extensions that weren't actually for coding but instead were advertising pirated movies.
I think I have a hyothesis for this specific type of spam, and it (depending on what you find interesting) has an interesting backstory from what I can tell. While not advertising pirated movies, I think I have a hypothesis on what they're doing (TL;DR: domain reputation abuse).
Okay, so there's this weird type of spam that I'm vaguely calling "sports streaming spam". Their group^* (probably using stolen accounts), on reddit (as one example of sites they spammed), would create dozens of subreddits and flood dozens of posts to their subreddits and make hundreds of thousands of comments on those subreddits posting links to their spam. This worked pretty well; if you googled some of the search terms during NFL season or whatever, you'd get their links as some of the top results.
This stuff wasn't limited to reddit either; you still see it on StackOverflow and the other SE network sites if you monitor the SmokeDetector chatroom. Anyway, at some point I guess people on the anti-spam side figured out that their links from new accounts were by in large garbage spam you could automatically filter out and remove.
So the spammers I think needed new tactics. Eventually what they started doing is creating GitHub apps and I guess probably VS Code extensions and then linking to that in their spam and the description just says where to go. I saw this happen at least once while looking through the SmokeDetector room. My guess is that on places like reddit and (especially) StackOverflow, links to GitHub and the VS Code extension library aren't filtered out, because they have higher likelihood to be legitimate than downloadc00lnewmovies.example or whatever.
These posts should really name the extension (some Dracula theme here, it looks like... Didn't and won't fully read). Kinda click-baity to not. I shouldn't have to open some link to know if it's relevant... Should know by the title.
The Dracula theme extension was a "typosquatter" (Darcula Theme, with "darculatheme.com" as the registered domain) released by the researcher as an experiment, which uses actual Dracula theme code but with additional code that "collects system information, including the hostname, number of installed extensions, device's domain name, and the operating system platform, and sends it to a remote server via an HTTPS POST request."
Result: no flagging from endpoint detection and response (EDR) tools, verified publisher, multiple high-value targets installed said extension.
Well I thought the entire article was clickbait until I read further. Turns out the researchers dive deeper and scan the marketplace then find a lot of extensions with really malicious code (one example they provided is CWL Beautifer, which opens a reverse shell)
Through this process, they have found the following:
1,283 with known malicious code (229 million installs).
8,161 communicating with hardcoded IP addresses.
1,452 running unknown executables.
2,304 that are using another publisher's Github repo, indicating they are a copycat.
I don't really understand what you think the issue is, here. VSCode could likely do more to defend against malicious extensions - but you're the one who chooses which extensions to run. You could just... not. I'm not really sure what other software you'd use that had both a robust extension system and didn't have these issues.
It's pretty much like having a AppStore without any security. Can you really blame the user? What's the point in controlling what you can install, if there is no security review in place.
The problem being that vscode is so poorly featured
Compared to... what?
You honestly don't sound like you've... ever programmed. The reason VSCode got popular is actually quite the opposite of what you've said. VSCode was based on Atom, another electron-based IDE with extensions. The primary reason VSCode was more popular was because it didn't need extensions to be good. Whereas Atom required a lot of customization, VSCode was good right out of the box.
I also have no idea what you're comparing it to. Every editor I know of has plugins, most with far less oversight than VSCode. Vim for example once ran into a wall where people's loading times were so long (1m+) that someone had to fork the project to create neovim to implement parallel processing of plugins.
What exactly are you using to program that doesn't have extensions? Notepad?
Does that still work? I haven't tried in a while, but as I've been tinkering in almost equal parts these days in Rider, RustRover, and GoLand, could I do the same with all the same features in Ultimate Edition still? Right now I just keep all 3 products installed.
Nah, get IntelliJ Ultimate if you're using that many separate JB IDEs. Every IDE they provide is just a set of plugins and configuration on the IntelliJ platform, and Ultimate can just load them all at the same time. For example, PyCharm comes with most (all?) of the same features as WebStorm, I assume PhpStorm and RubyMine are the same.
Square one being what? Installing a core featureset that in itself can be run as a fully separate product?
That's not the same as installing an LSP server, rainbow brackets or SSH remote support in VSCode, you can't run those extensions without VSCode. You can run the other Jetbrains IDEs if you are adverse to installing external code from within the IDE.
Extensions can be signed on JetBrains (and the ones we're talking about are). The issue for implementation for VSCode is still open, 7 years later.. Extensions are also reviewed and approved.
Ah I understand now; I was confused as "VSCode was trash software because it needed extensions" didn't appear to be a position either of us took.
And that commenter really ignored the "recommended extensions" caveat.
VSCode having an insecure extension system is in the same vein as PYPI having bad actors upload malicious code, but you don't see people going "well I guess I'll just forgo pip" lol
I think unsigned extensions is not great and I'm shocked MS hasn't figured that out. VSCode has a good market position, especially for beginners. Beginners are dangerous, but that's not VSCode's "fault"
I disagree - this is a particular risk with VSCode due to the "recommended extensions" feature - i.e. if you are opening a certain type of file, VSCode will suggest extensions that you can install with just a click of extension.
You can't expect every person to fully vet every extension their editor suggests for them. Especially many beginner devs are likely to just click yes when prompted if their editor suggests something.
It's a huge surface area for supply-chain attacks. It's pretty easy to imagine a situation like the xz attack, where a well-used extension gets compromised, and millions of people get the compromised version with an auto-update without even realizing it.
But is it the recommended extensions that are being compromised here? VSCode doesn't just randomly suggest recommended extensions, I believe the ones they recommend are typically the standard extensions for a particular ecosystem.
There are still risks involved in vetting the processes and supply chains of those extensions, but that's a very different set of risks to the ones described in that comment.
I think repositories can also recommend extensions as well through their workspace recommended extensions feature. So a beginner downloading tutorial source code and installing the recommended extensions can be compromised
But that also happens if you read a tutorial and it says "now install xyz extension".
Installing extensions is definitely a security risk, but the "recommended extensions" feature doesn't make it more of a security risk. Yes, the recommended extensions could be compromised, but that's true of any extensions, and can occur in a variety of ways.
I disagree. The barrier to entry for recommended extensions is so low - you literally just have to click a button. The UX even makes it annoying not to install the recommended extension, because it will keep popping up in the corner periodically like a software update notification.
With a tutorial, at least you have to go through the effort of manually installing the extension, even potentially with some terminal commands. That's enough friction that the least sophisticated users, who are most at risk, might not even get that far.
And if it's coming from a tutorial, at least you have the context of the tutorial to understand how trustworthy the author might be. With VSCode, you probably aren't even aware of where the request to install the extension is coming from. It's just the default action recommended by VSCode as far as the UX is telling you.
So it's not to say you can ever eliminate all risk, but maybe we should not make it the easiest thing in the world to put yourself at risk.
The issue is it trains naive users to blindly trust extensions. The mechanism for installing a recommended extension is identical to installing an untrusted extension. Sure we can sit here as knowledgeable people and say we would be careful but evidently hundreds of millions will not. If untrusted extensions required you to go to a third party website download something and then import through warnings then it wouldn't be VS codes issue.
From the original blog post, all it takes to get a blue check and become a verified publisher all you need to do is add a verified domain to your publisher account. Only 4% of extensions even do that, including some of the top extensions. It's meaningless and they need to change that before using it for anything
That's why I bring up the xz example: it was considered to be safe and well-trusted software for years, but then bad actors got control of the project via social engineering, and injected malicious code.
You could easily imagine a similar attack, where someone finds the list of the 100 most used extensions, finds one or a hand-full where they can get commit rights to the repository, and release an update containing malicious code.
This is the inherent risk of maximalist tooling and high dependency development.
Have never had these issues with any of JetBrains products, ie Rider, PyCharm. But then again, I pay a fair amount for the security of verified plugins on JB
Yes but you are mentioning professional tools for developers, not some freebie interface where everything goes (literally) aimed at tinkerers who don't know better.
Have never had these issues with any of JetBrains products
Has this been vetted by some external party? Intellij seems to have more stringent controls, but unless they're verified somehow, it's kind of a meaningless statement. The hundreds of millions of installs mentioned in the article probably didn't have noticeable issues either.
yes, if this is what you are referring to, JB plugins all go thru a verification process and must be installed thru the JB Marketplace app to prevent any malicious or misleading plugins. Has its ups and downs, some plugins I like are outdated because latest version hasn’t been approved yet but I still like being secure lol
Stay mad kiddo, I don't care. I'm not a part of your original argument, think of me as a social worker and yourself as a maladjusted delinquent who needs guidance but doesn't know it.
Part two of this film ends after you hit rock bottom, you're a mod thirties loser mad at the world for not "understanding your genius", but really we just don't want to engage with someone so insufferable.
Data intrusion would be the next cause of the world war. These issues are really causing the pain to the real and sincere developers in one or the other way. We should start using next-gen code editors as Zed or Project IDX.
What it actually was about doesn't particularly matter when it comes to the specific thing I'm addressing. The basic info of that should've been in the post. We shouldn't have to open a link (and Reddit has started hiding URLs, so can't tell if it's a legitimate source or not) just to know what it's about and if I should be concerned.
Some typo variant of a theme I don't use is uninteresting to me. If it were Eslint though... That'd be a different story.
This is just click-bait and probably results in extremely high bounce rates.
It's about researchers finding thousands of malware extensions with millions of installs between them. Having read the article, I'd say the headline set my expectations pretty accurately.
The one with a typo wasn't malicious, it was for research. For the ones that were actually malicious that you would want to be worried about, there's literally thousands of them.
The malicious software is the ‘Darcula theme’. They name squatted by using a misspelling of a very popular theme. It’s not the Dracula theme that is infected.
I could be mistaken, but I think Darcula is also a relatively popular name for dark mode themeing, especially for IDEs, since Jetbrains has a popular one with that name (I could have sworn Konqueror did as well back in the day), since it's also a pun on dark/Dracula.
Good grief, have you seen how many "Darcula" themes there are in the marketplace? "Darcula Official" sounds like a good name to pick if you want to stand out from the crowd for your malware attack.
The original comment you replied to wasn't wrong - the researchers squatted the misspelling of a popular theme - Dracula (draculatheme.com) vs Darcula (darculatheme.com).
it's a common theme name across various tools and services and has been for years
No, it's a JetBrains-only theme. Dracula, on the other hand, is a common theme across various tools and services.
Created by Jetbrains yes however it's now a very popular theme across most tools, Dracula and Darcula are two separate themes. It's not as popular as Dracula but saying it's exclusive to Jetbrains isn't correct
https://marketplace.visualstudio.com/items?itemName=rokoroku.vscode-theme-darcula - Since 2020, well before this research paper
There are 1300 malicious extensions, they can't name them all in the title. The Dracula one isn't one of them, that was their experiment to try and get people to install an intentionally typoed clone of a popular extension.
The article title is misleading. It's actually about research about how easy it is to copycat a popular extension and get downloads which now have access to your dev environment. The Dracula theme copycat was created by a research team to test this and collects some data and publicly discloses it in the readme and they were able to get many users unintentionally downloading it in under 24 hours.
I appreciate the honesty that you didn't read the article but how is this the top comment?
Yeah, once I took a quick glance and realized I didn't care... I didn't care.
IDK how it's top. Possibly just because I said that I shouldn't have to open the link just to know what it's actually about and a lot of people agreed?
If multiple extensions are affected and only some of them are listed in the headline (because it can't be too long) then it would just give you a false sense of security if one of yours wasn't listed.
A title isn't clickbait just because it can't give you all the information at once. Otherwise we wouldn't need articles.
The article title isn’t misleading. What you’ve described is the first part of the article. The second part of the article describes a scan the team did in which they did indeed discover millions of installs of malicious code.
Your comment is all that is wrong with what this subreddit has become. You admit that you didn’t read the article but you say the title should be different? That is insane.
As others have said, there is nothing wrong with the Dracula theme extension. They typosquatted that one to demonstrate how malicious code could be delivered.
Then they did separate research to demonstrate that there are many actual extensions with malicious code. Hundreds if not thousands. Would you like them to list 1000 extension names in the title?
It's funny because many tools at large companies require upper management approval to install, which can take weeks. Whereas vscode doesn't require admin access to install and inevitably results in people using what are probably less secure extensions over well known software for the sake of productivity and deadlines.
TBH and as much as I love Emacs: not really. The fact is that:
- Emacs has significantly less users, hence, less extensions and above, it is less interesting to infect the "Emacs userbase" than to infect the "VS Code" userbase, so less incentive to develop malware/malicious extensions.
- Emacs is very, very far from being sandboxed: any extension has the same right as the user (download arbitrary stuff from the Internet, complete access to the filesystem ...)
- Emacs users tend to read their extensions' source code much more often than VS Code users -- be it for documentation, patches, examples on how to do something ... so it is not /that/ easy to completely hide a malware/malicious intent within source code here, as it is very likely someone will spot it.
- To some extent, the usual package archives are moderated. However, it is unclear to me how much of a code review is done by the moderators of (typically) MELPA.
We'll have to disagree about the effective user base of Emacs vs VScode. There really aren't reasonable metrics to back up your assertion in this regard. Beyond that, I'd venture that the reason you dont hear much about Emacs extensions "infecting" the app is because Emacs users are pretty damn Code savvy as a rule, and probably moreso than your avg Vs Coder 😋
And yet Emacs hasn't really shown a strong need for sandboxes. What it does need is first class Common Lisp style namespaces for packages, but RMS has a bone to pick with CL so it doesn't and likely never will.
Yes, Emacs users are a savvy lot in general 🤓
Melpa isn't remotely the only source of packages for Emacs. The damn editor is decades old. Im personally running code I cut nearly 20 years ago in Emacs and routinely use crufty old code written well before that... Which, i guess bolsters your point... no one seems to be watching over user built packages to scrutinize their security protocols. This said, because Emacs users are a savvy lot, if/when a particular package does gain traction with the user base, there does tend to be a fair bit of code review and contribution which tends to qualify as higjly functional self policing vis a vis security.
The majority of comments on this post are missing the point. Commenters are down-playing the severity of the problem, and I have to wonder whether some of those commenters have a vested interest in encouraging complacency.
The article is not click-bait. It mentions one typosquatting extension that was the researchers' proof-of-concept. But the real story is:
Microsoft is doing fuck-all moderation of extensions.
Microsoft has not removed all of the malicious extensions reported to them:
All malicious extensions detected by the researchers were responsibly reported to Microsoft for removal. However, as of writing this, the vast majority remains available for download via the VSCode Marketplace.
There are a lot of dodgy extensions:
1,283 with known malicious code (229 million installs).
8,161 communicating with hardcoded IP addresses.
1,452 running unknown executables.
2,304 that are using another publisher's Github repo, indicating they are a copycat.
The list of malicious extensions is not published, from what I can find. We will have to wait until next week to be able run the researchers' checking tool.
Another point is why a theme is even allowed to do any requests. It's a theme. It's specially funny since its a VSCode theme which doesn't even allow you to customize the look that much. If themes could completely change widgets or something, maybe, but its just colors
VSCode themes are extensions, and as such can do anything that any extension can do. And they do! The Monokai Pro theme runs in "trial mode" and requires payment for extended use, for example.
The majority of comments on this post are missing the point. Commenters are down-playing the severity of the problem, and I have to wonder whether some of those commenters have a vested interest in encouraging complacency.
I think the dismissiveness you're seeing is from people like me who use VSCode and extensions, but have always treated extensions as if they are potentially insecure (because they quite obviously are) and have stuck to trustworthy extensions.
It never occurred to me that VSCode themes could be potentially harmful. I'm using JetBrains though, but for one project I was on VSCode. I guess I'll have to do my due diligence since Microsoft will not. I think what irks me about people like you, is that you aren't even phased by the negligence of Microsoft.
My comment was clumsily phrased, and understandably gave you the impression that I think either case is fine, which I don't.
The last part of your comment is very strange, it sounds like you're saying unless I am an industry expert on cyber security, I can't have an opinion on the security negligence of a Mega Corporation, like Microsoft. Actually, you're even implying I'm some kind of hypocrite for expecting more from Microsoft than I do from myself. Are you mentally ill, or dumb?
I think this is still valuable since the security hygiene of many programmers might as well be non-existent.
If by "this", you mean people investigating the security of extensions and exposing security flaws, I agree 100%. And I mentioned in a separate comment that Microsoft could probably do a lot more than they currently are to ensure security.
But for some reason, people seem to be pushing the narrative that Microsoft is somehow deficient for not putting in significantly more effort than literally anyone else in the field is doing. It hasn't historically been the responsibility of the authors of extensible software to personally monitor all extensions of that software. The entire point of extensions is to allow the community to provide their own solution. This is more a condemnation of the community than of the corporation in this case.
All that aside, I hope this does push Microsoft to remove the more easily abused features of their extension platform. But I also realize that those changes will probably provoke a new wave of criticism about the removed content, much of it likely from the same group currently criticizing them for the poor security of extensions.
I'm wary of free lunches in all their myriad forms. The $64,000 question is "how do you evaluate 'trustworthiness'". I consider Microsoft's own extensions to be as trustworthy as VSCode itself.
But after that, what do you do? If you believe in safety in numbers, well 229 million installs spread across 1283 malicious extensions is an average of 178,000 installs. Quite a respectable number and no indication of safety.
Past that, it's up to you to look at the code, but Microsoft doesn't even guarantee that the GitHub link on the extension page matches the deployed code. That's utterly negligent.
A manifest detailing required extension permissions would go a long way too, too. If a color scheme is requesting unrestricted read/write permissions to your filesystem then users can make a more informed decision beyond blind trust or reading the source of the extension directly.
I would say any large company that just allows any developer to install arbitrary extensions has this risk, there's a reason why the only extension my company allows is their internal extension marketplace that vets all the extensions on it.
I could see this as a problem for someone who is working solo on a project, but for an organization this likely is not as bad. Every company I worked for, every bit of software (including plugins) needs to be vetted before it can be used. We vet of license issues, is actively supported, does the company that made the software have a good relationship with their users, etc.
Wait, isn't Darcula a common name for unaffiliated themes that are made to look just like Dracula? Similar to how Meslo is the free lookalike of Apple's Menlo font.
I thought that I had a false memory for a second, because no one was bringing up the IntelliJ theme. Then I did a web search for Darcula theme in IntelliJ. The first two entries are for plugins. But then the third result:
By default, IntelliJ IDEA uses the Darcula theme in Classic UI and the Dark theme in New UI unless you changed it during the first run.
this is going to sound extremely dismissive but I just want to make it clear that these marketplaces, no matter the company, is ripe with malware-esque applications. that said some dudes created a plugin with a similar name as a popular one that sends some minimal telemetry back home. that's it.
this obviously gets past Microsoft's threat detection because everyone and their grandmother collects data.
when someone mistakenly downloaded their pretty harmless plugin they successfully infected the organisation.
then they set up a pretty fuzzy list of criteria why other apps are a threat including but not limited to hard coded IP:s and the fact that plugins execute other binaries, which is fair but also just how many plugins work. also some amateurs left secrets in their source code.
It's not as easy to sandbox coding extensions as something like a website. By their very nature, a lot of extensions will need things like shell access or file system access.
Probably there could be better fine-grained access control over what is allowed, but software development by nature is a fairly system-heavy pursuit.
Moving all software development to the cloud, and treating it as something which individuals can't or shouldn't do on their own computer is a way bigger problem
of course it shouldn't be sending back data. But as malware goes, it's the least worst thing. Imagine a keylogger instead, or a remote execution exploit injector etc.
Obviously, it's still malware whether it's "harmless" or not.
I think extensions need security built in, similar to how a browser has some security built in (against sites, like cross site origin permission, and http-only cookies etc).
...a theme is a plugin like any other, all plugins can send data anywhere. collecting basic system info is called telemetry but you guys want to call it malware. pretty much every website you ever visit is infected with similar "malware" called Google AdSense.
what I'm getting at here is that what their software did is so bog standard in the industry that I am genuinely baffled that anyone interprets it as malware. you will be hard pressed to find software that doesn't call home for one reason or another, be it login, news feeds or updates.
because everyone and their grandmother collects data.
MS themselves are actually one of the worst offenders here. I avoid MS products as much as possible with how much "telemetry" they send back, and how often they "forget" user settings to disable it
the store is not open source dude. the app is. they host the store. they could at least monitor the most popular apps and look at suspicious activity like themes that use a constant connection for some reason.
as much as it's an open source app, it is also a platform for them to sell services. so they make money on it
they could at least monitor the most popular apps and look at suspicious activity
They could also scan all the 3rd party extensions for anything - but you haven't demonstrated why they should. They made an open source editor with the ability for you to examine every single bit of whatever extension you want to install - and you're saying they need to monitor it? If you're using third party software - don't you look at it?
I'm I just old as shit? When did look at the source become a non-starter?
What you're asking Microsoft to do with every single 3rd party extension submitted - is to examine it entirely to ensure it holds up to (what standards?) on monthly updates - when they're actively giving the software away for free?
You know what I've never been hit with? A "buy this" popup or notification in VSC.
You know why? It's because while Microsoft may maintain the sole managed of a project - they aren't actively making buy anything to make it work. Nothing about this text editor is P2P.
Which part of VSC is a "platform to sell services?" Can you show anything? Their download page doesn't even have a "pricing" link on it. It's free. They're actively giving it away on PC/Linux (fuck yeah)/macOS. What Microsoft products have you been incentivized to purchase because you use VSC?
I'm I just old as shit? When did look at the source become a non-starter?
A fair number of extensions aren't fully open source (e.g. Pylance). This isn't to say Pylance is dangerous, but I'm pretty sure it's at least not always feasible. You can avoid non OSS code, but it's also not really feasible or practical from a security to perspective for every individual to manually check every extension. It simply doesn't occur. We've seen the exact same behavior in npm where malware gets introduced.
Which part of VSC is a "platform to sell services?" Can you show anything? Their download page doesn't even have a "pricing" link on it. It's free. They're actively giving it away on PC/Linux (fuck yeah)/macOS. What Microsoft products have you been incentivized to purchase because you use VSC?
I think VSC has some pretty tight integrations with GitHub by default no? Certainly if you open a directory, the SCM side panel asks if you want to upload to GitHub and integrate VSCode with your GitHub account. The download page also promotes Azure. It's not the most aggressive upsell but it is an upsell. Not everything is an explicit price which is the whole point.
What you're asking Microsoft to do with every single 3rd party extension submitted - is to examine it entirely to ensure it holds up to (what standards?) on monthly updates - when they're actively giving the software away for free?
Do you think it's unreasonable to force Meta to moderate Facebook? Doesn't Google have to check the videos that are uploaded to YouTube? As a platform provider you have to moderate your platform. It wasn't always that way but nowadays it is.
I mean, it's kinda easy for MS to do just that: Make a restricted store with only trusted partners and verified code. Additionally, make an option to also allow "insecure third party". Include that into AD so enterprises can force restricted mode only. I really don't know why they haven't done that already.
Which part of VSC is a "platform to sell services?" Can you show anything?
Money, although very important, is not the only thing that is of value to Microsoft. Just checkout why VSCodium exists. If you are not paying for the product you are the product.
All of the other issues aside, isn't that IP in the code beautifying snippet in a private address range? Wouldn't that just send data to some local server?
I knew this was a disaster waiting to happen. Around the time of COVID lockdown, there was this massive social campaign pushing and singing praises of VSCode, a whole ecosystem was being readied for this. If the overall install base of a product increases, so will the attack vector of a plugin.
I agree that the dominance of VSCode is a problem. MS has too much influence over the developer ecosystem with VSCode and Github - I choose alternatives whenever possible.
Huh I didn't realize they own npm - at least yarn is an alternative, but that's meta as well so it's not that much better.
I'm secretly hoping wasm gets complete enough API's to replace the js ecosystem in the next 10 years and we can leave the mess which is js development in the past.
What some of my wise friends do is head over to unkpg.com and download whatever individual packages they want. Avoid total dependency on the actual npm packager if possible.
I mean, it's a great editor. Popular things become targets. Doesn't mean folks shouldn't have recommended it; there was no way to know that one of the biggest software companies in the world would drop the ball on security this badly.
Really silly dooming. People use pointless fear mongering like this to tell us why iOS has to be locked down as well. Just be careful with what you install
phil9876543210@reddit
how can vscode api be based on such a bad technology like nodejs
Skaarj@reddit
I would argue: the real but here is that the extension API allows for these things in the first place.
Why are extensions executed in a context where they can download arbitrary data or execute arbitrary binaries? Run the extension in a locked context that can't do these malicious actions.
BullShinkles@reddit
It's not really a bug, but a development paradigm that is to blame.
While Open Source / Freeware has its strengths, it does have the inherent weakness of allowing everyone to share and contribute.... even the bad guys. Unfortunately we don't get to choose who gets to contribute, so bad actors, hacks, foreign agents, and con artists can trick us into providing them with backdoors and sensitive information they can exploit.
VirginiaMcCaskey@reddit
Because that's how computers work?
Language servers run as child processes (and they shouldn't be anything else). Any kind of git or VCS tooling needs to read and write to disk. Jailing these processes makes them useless. It's natural for editor extensions to need to read/write disk and execute child processes - that's how developer tools have worked for decades.
That's not to say there aren't problems to solve, but this reaction is nonsensical to me. If extensions couldn't do these things, extensions wouldn't be useful!
pleasewait@reddit
Are there prompts right now which indicate what permissions the extension will get? I think that would right away raise attention that you’re giving permissions to a lot of things. But if the reviews are faked, then it’s already probably a lost cause. Tricky situation and I think we’re starting to get more and more attacks through open-source. It’s a lot more easy access to otherwise secured companies.
VirginiaMcCaskey@reddit
Nah. Leave it up to the OS to implement capability based security/entitlements.
This has nothing to do with open source, fwiw. VS Code extensions can be black boxes that download and run arbitrary programs. On top of that, a lot of language tooling requires code to be executed to be analyzed. So if you have any kind of extension for any text editor or IDE you have these kinds of problems, and it's not the job of the editor to play security whackamole.
If you don't want to run 3rd party programs don't download and run them. It's really not that complicated. That includes extensions and plugins for your tools.
Nicksaurus@reddit
A lot of the core functionality in vscode comes from extensions running external executables e.g. everything that relies on git or LLVM
Maybe they need a permission system like browser extensions so you at least know in advance if an extension is going to run an executable instead of just applying CSS themes or whatever you thought it would do
vplatt@reddit
This. We should be getting notified of any resources extensions use. In fact, since VS Code is basically an overgrown web app, it should cordon off extensions and use a security model at least as good as the major browsers use; assuming that's anywhere near sufficient.
pragmojo@reddit
I think you would need a lot more system access for many extensions than browsers allow. An LSP for example needs pretty wide file-system access, and a C/C++ workflow might need to run a bunch of arbitrary binaries to do it's job.
I think what's important is giving the user informed consent over what an extension is doing, and also treating installing and using extensions as a potentially risky behavior from a UX perspective.
Currently VSCode treats extensions super casually, and it's easy for a user to download dozens of them by just clicking "yes" whenever the box pops up in the bottom corner without even thinking about it.
vplatt@reddit
That's a good point, so my suggestion goes overboard.
However...:
Exactly! If I'm using an extension like the OP's Dracula extension and I'm prompted upon install to let me know that it uses network calls, at least I can have the opportunity to put a stop to it then. Especially as developers, we know that's suspicious. Furthermore, at runtime, if I were to get a prompt from VS Code to let an extension use the network and it were to show me the network connection and payload details, I could put a stop to it then.
The nightmarish side of VS Code is that so many devs will knowingly or unknowingly run code in a sudo or Administrator context and just forget that they're doing so. Issues with permissions are common in a development experience after all. Should this happen? Nope. But it does happen because of all the different weird toolchains and admin-required install paths that are used in the wild.
tj-horner@reddit
It does sound we need some kind of permission model similar to browser extensions. It's not perfect (as demonstrated by Chrome Web Store malware) but it will at least (hopefully) throw up some red flags when "My Really Cool Theme" requests permission to read from your home directory.
Lord_Zane@reddit
Oh this is neat to see. A year and a half ago when I was in grad school, for my computer security class, my group's semester project was the same topic as these researchers. We investigated automated ways of finding malicious VSCode extensions from the marketplace.
We originally wanted to automatically download and run extensions in a sandbox and trace suspicious calls, but that proved too difficult to get working in the semester we had. Electron did not lend itself well to being sandboxed, and we had to switch directions halfway through the semester. Instead, we made a system that automatically scanned extension metadata and source code, much like the researchers did here.
We scanned for typosquatting, suspicious strings or binaries in the extension code, weird author/github mismatches, etc. Many of the same techniques the researches used here.
We found a surprisingly large amount of just weird crap. Stuff like extensions that weren't actually for coding but instead were advertising pirated movies.
I forget it what it's called, but there was some official way to get extensions verified/trusted/? by microsoft. We also found that a surprisingly large amount of the top ~100(?) extensions didn't use this process. Sorry for the vagueness, the details are a bit fuzzy to me, and a quick google didn't bring up what I was looking for.
So yeah, interesting to see a more rigorous study confirm what our somewhat hastily produced research project found.
GroundbreakingTip338@reddit
I remember reading this comment a while back. I tried to find suspicious vscode extensions, mainly through their descriptions and to no avail. The only extension I could find was: itemName=IyotBirada.Ovaltinies-Tinie which has 0 downloads. If you have any pointers, I would be greatful
Lord_Zane@reddit
Sorry - it's been too long, and I no longer remember. Perhaps the extensions store was cleaned up in the ~2 years since.
GroundbreakingTip338@reddit
ahh that sucks. if by any chance you guys scrapped the marketplace 2 years ago and still have the dataset, I would love to it compare how far they have changed.
Thanks :D
Lord_Zane@reddit
I checked, I don't see any github repo. Not sure where we might've kept it otherwise, sorry.
GroundbreakingTip338@reddit
I genuinely appreciate you looking. I can't even get my assigned teammates to reply 😭.
While looking I found this video: https://www.youtube.com/watch?v=1zGwA1qMGvM&t=98s by John Hammond
He uploaded a csv file of all avaiable extensions in 2023 (51k to 70k): https://docs.google.com/spreadsheets/d/12GIzrSzzU-_Ok4pPigUJYSxKO2ZYSmDwr1OJy6T2X40/edit?gid=1397736002#gid=1397736002
Just incase you needed it in the future
amitassaraf@reddit
Amit here from the original blog post.
Actually during our research of Visual Studio Code extensions in the past few weeks we've found an alarming amount of security design flaws that deserve the security community’s attention. The lack of a permission model, automatic silent updates, and unrestricted capabilities are just a few issues that poses a direct threat to organizations who use Visual Studio Code.
Read our letter to Microsoft with the design flaws we've found - https://medium.com/@amitassaraf/3-6-uncovering-design-flaws-in-the-visual-studio-code-marketplace-ea1d8e8b0171
cauthon@reddit
Do you have the list of malicious extensions published anywhere?
Infamous_Employer_85@reddit
Asking the useful questions
stuckinmotion@reddit
The painfully obvious, ie how could they not include it, questions
Infamous_Employer_85@reddit
thanks so much for all of your work. It seems that it would be very useful to have tooling available to the community to detect extensions with security issues, I followed you on Medium hoping that future posts will outline simple ways for developers to identify problematic extensions. Ideally, as you point out, Microsoft would provide such tools or identify security issues on the extension's page.
ComprehensiveWord201@reddit
I don't see how this is a response to the previous poster. This doesn't really have anything to do with what they said, more like you are squatting on the top posted reply to get more people to other articles...
Lord_Zane@reddit
I'm personally happy that they did post. Their original post is worth reading instead of reading it summarized through bleepingcomputer.
ComprehensiveWord201@reddit
Fair.
Lord_Zane@reddit
Great blog post and research, thank you for linking the original report! Annoyingly the bleepingcomputer article did not.
jkrejcha3@reddit
I think I have a hyothesis for this specific type of spam, and it (depending on what you find interesting) has an interesting backstory from what I can tell. While not advertising pirated movies, I think I have a hypothesis on what they're doing (TL;DR: domain reputation abuse).
Okay, so there's this weird type of spam that I'm vaguely calling "sports streaming spam". Their group^* (probably using stolen accounts), on reddit (as one example of sites they spammed), would create dozens of subreddits and flood dozens of posts to their subreddits and make hundreds of thousands of comments on those subreddits posting links to their spam. This worked pretty well; if you googled some of the search terms during NFL season or whatever, you'd get their links as some of the top results.
This stuff wasn't limited to reddit either; you still see it on StackOverflow and the other SE network sites if you monitor the SmokeDetector chatroom. Anyway, at some point I guess people on the anti-spam side figured out that their links from new accounts were by in large garbage spam you could automatically filter out and remove.
So the spammers I think needed new tactics. Eventually what they started doing is creating GitHub apps and I guess probably VS Code extensions and then linking to that in their spam and the description just says where to go. I saw this happen at least once while looking through the SmokeDetector room. My guess is that on places like reddit and (especially) StackOverflow, links to GitHub and the VS Code extension library aren't filtered out, because they have higher likelihood to be legitimate than downloadc00lnewmovies.example or whatever.
shgysk8zer0@reddit
These posts should really name the extension (some Dracula theme here, it looks like... Didn't and won't fully read). Kinda click-baity to not. I shouldn't have to open some link to know if it's relevant... Should know by the title.
reactivedumpaway@reddit
The Dracula theme extension was a "typosquatter" (Darcula Theme, with "darculatheme.com" as the registered domain) released by the researcher as an experiment, which uses actual Dracula theme code but with additional code that "collects system information, including the hostname, number of installed extensions, device's domain name, and the operating system platform, and sends it to a remote server via an HTTPS POST request."
Result: no flagging from endpoint detection and response (EDR) tools, verified publisher, multiple high-value targets installed said extension.
Well I thought the entire article was clickbait until I read further. Turns out the researchers dive deeper and scan the marketplace then find a lot of extensions with really malicious code (one example they provided is CWL Beautifer, which opens a reverse shell)
So yeah, fun stuff.
EasyMrB@reddit
Good god, with those numbers I'd rather just drop VS Code entirely.
SirPsychoMantis@reddit
/r/neovim
See you soon
tomachinz@reddit
Time to give Neovim a look.... 🙏
fripletister@reddit
Hahahaha I'm good
KevinCarbonara@reddit
I don't really understand what you think the issue is, here. VSCode could likely do more to defend against malicious extensions - but you're the one who chooses which extensions to run. You could just... not. I'm not really sure what other software you'd use that had both a robust extension system and didn't have these issues.
Delicious_Sundae4209@reddit
It's pretty much like having a AppStore without any security. Can you really blame the user? What's the point in controlling what you can install, if there is no security review in place.
orbita2d@reddit
The problem being that vscode is so poorly featured that you are basically required to install extensions?
KevinCarbonara@reddit
Compared to... what?
You honestly don't sound like you've... ever programmed. The reason VSCode got popular is actually quite the opposite of what you've said. VSCode was based on Atom, another electron-based IDE with extensions. The primary reason VSCode was more popular was because it didn't need extensions to be good. Whereas Atom required a lot of customization, VSCode was good right out of the box.
I also have no idea what you're comparing it to. Every editor I know of has plugins, most with far less oversight than VSCode. Vim for example once ran into a wall where people's loading times were so long (1m+) that someone had to fork the project to create neovim to implement parallel processing of plugins.
What exactly are you using to program that doesn't have extensions? Notepad?
orbita2d@reddit
I've never felt the need to install more than one or two extensions in anything JetBrains.
Congrats on the most arrogant, programmer stereotype comment I've ever seen in response to an IDE opinion you disagree with, bloody hell.
Czumanahana@reddit
But on the other hand you have to install 2-3 ides if you are using multiple languages.
fripletister@reddit
No you don't. There's an ultimate edition.
vplatt@reddit
Does that still work? I haven't tried in a while, but as I've been tinkering in almost equal parts these days in Rider, RustRover, and GoLand, could I do the same with all the same features in Ultimate Edition still? Right now I just keep all 3 products installed.
Dealiner@reddit
Not with Rider, it uses different backend than the rest.
axonxorz@reddit
Nah, get IntelliJ Ultimate if you're using that many separate JB IDEs. Every IDE they provide is just a set of plugins and configuration on the IntelliJ platform, and Ultimate can just load them all at the same time. For example, PyCharm comes with most (all?) of the same features as WebStorm, I assume PhpStorm and RubyMine are the same.
Dealiner@reddit
Not all, Rider (and maybe something else) is completely separate, since it uses different backend.
KevinCarbonara@reddit
So you're basically required to install extensions? Now we're back at square one
axonxorz@reddit
Square one being what? Installing a core featureset that in itself can be run as a fully separate product?
That's not the same as installing an LSP server, rainbow brackets or SSH remote support in VSCode, you can't run those extensions without VSCode. You can run the other Jetbrains IDEs if you are adverse to installing external code from within the IDE.
Extensions can be signed on JetBrains (and the ones we're talking about are). The issue for implementation for VSCode is still open, 7 years later.. Extensions are also reviewed and approved.
KevinCarbonara@reddit
The post I originally responded to, where someone attempted to claim that VSCode was trash software because it needed extensions.
axonxorz@reddit
Ah I understand now; I was confused as "VSCode was trash software because it needed extensions" didn't appear to be a position either of us took.
And that commenter really ignored the "recommended extensions" caveat.
VSCode having an insecure extension system is in the same vein as PYPI having bad actors upload malicious code, but you don't see people going "well I guess I'll just forgo pip" lol
I think unsigned extensions is not great and I'm shocked MS hasn't figured that out. VSCode has a good market position, especially for beginners. Beginners are dangerous, but that's not VSCode's "fault"
orbita2d@reddit
Sure, but even my most polyglot team capped out at 4, and I only used two of them.
How common is it for a professional developer to use more than that regularly? It seems like it would nuke your expertise to constantly switch.
KevinCarbonara@reddit
This post really didn't age well did it
orbita2d@reddit
Why?
pragmojo@reddit
I disagree - this is a particular risk with VSCode due to the "recommended extensions" feature - i.e. if you are opening a certain type of file, VSCode will suggest extensions that you can install with just a click of extension.
You can't expect every person to fully vet every extension their editor suggests for them. Especially many beginner devs are likely to just click yes when prompted if their editor suggests something.
It's a huge surface area for supply-chain attacks. It's pretty easy to imagine a situation like the
xzattack, where a well-used extension gets compromised, and millions of people get the compromised version with an auto-update without even realizing it.MrJohz@reddit
But is it the recommended extensions that are being compromised here? VSCode doesn't just randomly suggest recommended extensions, I believe the ones they recommend are typically the standard extensions for a particular ecosystem.
There are still risks involved in vetting the processes and supply chains of those extensions, but that's a very different set of risks to the ones described in that comment.
calebkiage@reddit
I think repositories can also recommend extensions as well through their workspace recommended extensions feature. So a beginner downloading tutorial source code and installing the recommended extensions can be compromised
MrJohz@reddit
But that also happens if you read a tutorial and it says "now install xyz extension".
Installing extensions is definitely a security risk, but the "recommended extensions" feature doesn't make it more of a security risk. Yes, the recommended extensions could be compromised, but that's true of any extensions, and can occur in a variety of ways.
pragmojo@reddit
I disagree. The barrier to entry for recommended extensions is so low - you literally just have to click a button. The UX even makes it annoying not to install the recommended extension, because it will keep popping up in the corner periodically like a software update notification.
With a tutorial, at least you have to go through the effort of manually installing the extension, even potentially with some terminal commands. That's enough friction that the least sophisticated users, who are most at risk, might not even get that far.
And if it's coming from a tutorial, at least you have the context of the tutorial to understand how trustworthy the author might be. With VSCode, you probably aren't even aware of where the request to install the extension is coming from. It's just the default action recommended by VSCode as far as the UX is telling you.
So it's not to say you can ever eliminate all risk, but maybe we should not make it the easiest thing in the world to put yourself at risk.
Jaggedmallard26@reddit
The issue is it trains naive users to blindly trust extensions. The mechanism for installing a recommended extension is identical to installing an untrusted extension. Sure we can sit here as knowledgeable people and say we would be careful but evidently hundreds of millions will not. If untrusted extensions required you to go to a third party website download something and then import through warnings then it wouldn't be VS codes issue.
drcforbin@reddit
From the original blog post, all it takes to get a blue check and become a verified publisher all you need to do is add a verified domain to your publisher account. Only 4% of extensions even do that, including some of the top extensions. It's meaningless and they need to change that before using it for anything
pragmojo@reddit
That's why I bring up the
xzexample: it was considered to be safe and well-trusted software for years, but then bad actors got control of the project via social engineering, and injected malicious code.You could easily imagine a similar attack, where someone finds the list of the 100 most used extensions, finds one or a hand-full where they can get commit rights to the repository, and release an update containing malicious code.
This is the inherent risk of maximalist tooling and high dependency development.
ihopkid@reddit
Have never had these issues with any of JetBrains products, ie Rider, PyCharm. But then again, I pay a fair amount for the security of verified plugins on JB
foreveratom@reddit
Yes but you are mentioning professional tools for developers, not some freebie interface where everything goes (literally) aimed at tinkerers who don't know better.
fripletister@reddit
You're not wrong; you're just an asshole.
Celos@reddit
Has this been vetted by some external party? Intellij seems to have more stringent controls, but unless they're verified somehow, it's kind of a meaningless statement. The hundreds of millions of installs mentioned in the article probably didn't have noticeable issues either.
ihopkid@reddit
yes, if this is what you are referring to, JB plugins all go thru a verification process and must be installed thru the JB Marketplace app to prevent any malicious or misleading plugins. Has its ups and downs, some plugins I like are outdated because latest version hasn’t been approved yet but I still like being secure lol
ryjhelixir@reddit
I didn't need many extensions using Zed
pragmojo@reddit
Zed is an amazing editor - I hate having to use VSCode at work
kraskaskaCreature@reddit
uninstalling vs code due to some bad apples is something;
i don't think it's that likely to get malware from the extension store
EasyMrB@reddit
Let's just repeat the relevant facts.
Frumberto@reddit
Ok, how many total installs? Because you can’t calculate likelihood from incidence alone.
EasyMrB@reddit
Like, bruh
Frumberto@reddit
Bruh:
Likelihood = incidence per total
Use your brain.
nocrimps@reddit
You should form a complete thought using full sentences if you want to get your point across.
Or you and this other guy can have a reddit argument that nobody else cares about, your choice.
Frumberto@reddit
Im sorry, all the information necessary was present in my first comment.
I’m not their high school stats tutor.
nocrimps@reddit
It wasn't a complete thought. Do you want me to teach you the necessary parts of speech in a sentence? I'm not your high school English teacher.
Frumberto@reddit
That sure was sentence!
Aber teacher iq.
nocrimps@reddit
Sad attitude. You aren't God's gift to humanity. Communication is just as important as ideas - and you're failing miserably on that front.
You can rejoin us and sit at the grownups table once you're ready to act like an adult instead of a petulant child.
Frumberto@reddit
It’s not me who failed in communicating here.
Step 1 is making a good faith effort in bringing a full brain to the table.
nocrimps@reddit
Stay mad kiddo, I don't care. I'm not a part of your original argument, think of me as a social worker and yourself as a maladjusted delinquent who needs guidance but doesn't know it.
Part two of this film ends after you hit rock bottom, you're a mod thirties loser mad at the world for not "understanding your genius", but really we just don't want to engage with someone so insufferable.
Frumberto@reddit
I am really not worried about you, or all people, not wanting to engage with me.
All the social workers I knew were in dire straits themselves, so…
Jokes on you: I’m already a mid thirties loser, that makes good money as a programmer.
And my coworkers actually like me, because I actually value them as humans, and don’t see them as the brainless bots you guys are.
nocrimps@reddit
r/iamverysmart material
"Everyone is stupid except me because I couldn't form a full English sentence and reframed it as everyone else lacking comprehension skills"
Yeah I'm sure your coworkers absolutely love you bud.
Frumberto@reddit
We can continue our conversation on any of the other three languages I speak fluently, if you prefer.
And I am not literally smarter than everyone else.
Just 97%ish.
nocrimps@reddit
You're really leaning into it.
Frumberto@reddit
Don’t you have some lives to save, Mr. Social worker?
Hero of the downtrodden, savior of the blergh
kraskaskaCreature@reddit
assuming this page gives correct number:
https://marketplace.visualstudio.com/search?target=VSCode&category=All%20categories&sortBy=Installs
the chances of getting malicious extension is 1452 / 59783 = 0.0242..., so about 2.42%, which is low. you wanna drop using vs code over 2 percents?
Frumberto@reddit
Only comment here with any sense.
StickiStickman@reddit
What does "malicious code" mean? What does "unknown executables" mean?
The numbers are absolutely meaningless.
GlowiesStoleMyRide@reddit
I'm wondering if the installs number for malicious plugins have been artificially inflated to appear more trustworthy.
SimpleArchive@reddit
Data intrusion would be the next cause of the world war. These issues are really causing the pain to the real and sincere developers in one or the other way. We should start using next-gen code editors as Zed or Project IDX.
shgysk8zer0@reddit
What it actually was about doesn't particularly matter when it comes to the specific thing I'm addressing. The basic info of that should've been in the post. We shouldn't have to open a link (and Reddit has started hiding URLs, so can't tell if it's a legitimate source or not) just to know what it's about and if I should be concerned.
Some typo variant of a theme I don't use is uninteresting to me. If it were Eslint though... That'd be a different story.
This is just click-bait and probably results in extremely high bounce rates.
daishi55@reddit
the headline accurately described the article
Healthy_Student_2314@reddit
The basic info here should’ve been atleast to name some of the extensions
VelvetWhiteRabbit@reddit
Some of the 8000 extensions?
Infamous_Employer_85@reddit
Ideally all of them in a txt file that can be viewed
shgysk8zer0@reddit
Exactly. This is some unnecessary theme I don't even use, not Eslint or something I should actually be concerned about.
Frumberto@reddit
Congratulations, you didn’t even understand the topic.
StickiStickman@reddit
It literally doesn't, it's straight up wrong, showing you yourself clearly didn't read it.
They didn't "discover" it, they purposefully made the extension as a test.
shgysk8zer0@reddit
No accurate description omits the very subject. It is click-bait in that it baits you into clicking just to know what it's even about.
PaintItPurple@reddit
It's about researchers finding thousands of malware extensions with millions of installs between them. Having read the article, I'd say the headline set my expectations pretty accurately.
caboosetp@reddit
The one with a typo wasn't malicious, it was for research. For the ones that were actually malicious that you would want to be worried about, there's literally thousands of them.
liveoneggs@reddit
pretty much the same as vanilla node/npm
StickiStickman@reddit
All of these numbers are so incredibly vague they mean absolutely nothing.
karuna_murti@reddit
"researchers".
no, bad actors.
sparant76@reddit
Open source and markets for the win.
dippocrite@reddit
The malicious software is the ‘Darcula theme’. They name squatted by using a misspelling of a very popular theme. It’s not the Dracula theme that is infected.
coldblade2000@reddit
The default Jetbrains IDEs theme (or at least in the old UI) is also called "Darcula".
verrius@reddit
I could be mistaken, but I think Darcula is also a relatively popular name for dark mode themeing, especially for IDEs, since Jetbrains has a popular one with that name (I could have sworn Konqueror did as well back in the day), since it's also a pun on dark/Dracula.
Generic-Moniker@reddit
Good grief, have you seen how many "Darcula" themes there are in the marketplace? "Darcula Official" sounds like a good name to pick if you want to stand out from the crowd for your malware attack.
CelDaemon@reddit
Dracula itself is safe, it was a misspelled version of the name that wasn't
KevinCarbonara@reddit
Darcula is the name of the theme. It's a pun. I think Dracula is the misspelling.
Glebun@reddit
Um, no. https://github.com/dracula/dracula-theme
KnifeFed@reddit
Downvoted for providing facts 👍
ward2k@reddit
Darcula is the name of them theme, it's a common theme name across various tools and services and has been for years
How is this comment so upvoted it's completely wrong
ourobo-ros@reddit
Welcome to reddit.
Glebun@reddit
https://marketplace.visualstudio.com/items?itemName=dracula-theme.theme-dracula
ward2k@reddit
Yes and Darcula also exists
Or is JetBrains also name squatting the word 'Dracula' looking for malicious installs? No, because Dracula is neon and Darcula isn't
Glebun@reddit
The original comment you replied to wasn't wrong - the researchers squatted the misspelling of a popular theme - Dracula (draculatheme.com) vs Darcula (darculatheme.com).
No, it's a JetBrains-only theme. Dracula, on the other hand, is a common theme across various tools and services.
ward2k@reddit
Created by Jetbrains yes however it's now a very popular theme across most tools, Dracula and Darcula are two separate themes. It's not as popular as Dracula but saying it's exclusive to Jetbrains isn't correct
https://marketplace.visualstudio.com/items?itemName=rokoroku.vscode-theme-darcula - Since 2020, well before this research paper
https://github.com/telamonian/theme-darcula
https://github.com/xiantang/darcula-dark.nvim
https://pypi.org/project/theme-darcula/
https://emacsthemes.com/themes/darcula-theme.html
Celos@reddit
Because in VSCode-land the most popular extension (by installs) is Dracula?
ward2k@reddit
Darcula and Dracula are two separate theme sets
Dracula has a more neon look
Dracula is the base theme for JetBrains tools, this theme also exists across many other tools and services
PaintItPurple@reddit
There were thousands of malicious extensions they identified. That theme was just a research tool they created.
sysop073@reddit
There are 1300 malicious extensions, they can't name them all in the title. The Dracula one isn't one of them, that was their experiment to try and get people to install an intentionally typoed clone of a popular extension.
shgysk8zer0@reddit
The typo and cloned extension is the important thing omitted.
max123246@reddit
The article title is misleading. It's actually about research about how easy it is to copycat a popular extension and get downloads which now have access to your dev environment. The Dracula theme copycat was created by a research team to test this and collects some data and publicly discloses it in the readme and they were able to get many users unintentionally downloading it in under 24 hours.
I appreciate the honesty that you didn't read the article but how is this the top comment?
shgysk8zer0@reddit
Yeah, once I took a quick glance and realized I didn't care... I didn't care.
IDK how it's top. Possibly just because I said that I shouldn't have to open the link just to know what it's actually about and a lot of people agreed?
OMG_A_CUPCAKE@reddit
If multiple extensions are affected and only some of them are listed in the headline (because it can't be too long) then it would just give you a false sense of security if one of yours wasn't listed.
A title isn't clickbait just because it can't give you all the information at once. Otherwise we wouldn't need articles.
shgysk8zer0@reddit
Was any main/official extension compromised? If so, wouldn't they lead with that?
I have very few installed because I already knew that things could be malicious.
_PC__LOAD__LETTER_@reddit
The article title isn’t misleading. What you’ve described is the first part of the article. The second part of the article describes a scan the team did in which they did indeed discover millions of installs of malicious code.
_PC__LOAD__LETTER_@reddit
Your comment is all that is wrong with what this subreddit has become. You admit that you didn’t read the article but you say the title should be different? That is insane.
As others have said, there is nothing wrong with the Dracula theme extension. They typosquatted that one to demonstrate how malicious code could be delivered.
Then they did separate research to demonstrate that there are many actual extensions with malicious code. Hundreds if not thousands. Would you like them to list 1000 extension names in the title?
Educational_Skin4519@reddit
It was an experiment not 1 extension they found. You should have read the article it’s not clickbait
MyShirtPocket@reddit
Bro just discovered clickbait
shgysk8zer0@reddit
Unfortunately discovered it a very long time ago. I'm just calling it what it is.
amitassaraf@reddit
We've actually released the solution to this problem, a free community tool called ExtensionTotal, check out our blog post about it - https://medium.com/@amitassaraf/4-6-introducing-extensiontotal-how-to-assess-risk-in-vs-code-extensions-3ac5bfd83fb1
ChicagoStooge@reddit
This is going to go unnoticed by many less-active developers for a long time.
test-user-67@reddit
It's funny because many tools at large companies require upper management approval to install, which can take weeks. Whereas vscode doesn't require admin access to install and inevitably results in people using what are probably less secure extensions over well known software for the sake of productivity and deadlines.
pnedito@reddit
Emacs is over here laughing...
Aminumbra@reddit
TBH and as much as I love Emacs: not really. The fact is that:
- Emacs has significantly less users, hence, less extensions and above, it is less interesting to infect the "Emacs userbase" than to infect the "VS Code" userbase, so less incentive to develop malware/malicious extensions.
- Emacs is very, very far from being sandboxed: any extension has the same right as the user (download arbitrary stuff from the Internet, complete access to the filesystem ...)
- Emacs users tend to read their extensions' source code much more often than VS Code users -- be it for documentation, patches, examples on how to do something ... so it is not /that/ easy to completely hide a malware/malicious intent within source code here, as it is very likely someone will spot it.
- To some extent, the usual package archives are moderated. However, it is unclear to me how much of a code review is done by the moderators of (typically) MELPA.
pnedito@reddit
We'll have to disagree about the effective user base of Emacs vs VScode. There really aren't reasonable metrics to back up your assertion in this regard. Beyond that, I'd venture that the reason you dont hear much about Emacs extensions "infecting" the app is because Emacs users are pretty damn Code savvy as a rule, and probably moreso than your avg Vs Coder 😋
And yet Emacs hasn't really shown a strong need for sandboxes. What it does need is first class Common Lisp style namespaces for packages, but RMS has a bone to pick with CL so it doesn't and likely never will.
Yes, Emacs users are a savvy lot in general 🤓
Melpa isn't remotely the only source of packages for Emacs. The damn editor is decades old. Im personally running code I cut nearly 20 years ago in Emacs and routinely use crufty old code written well before that... Which, i guess bolsters your point... no one seems to be watching over user built packages to scrutinize their security protocols. This said, because Emacs users are a savvy lot, if/when a particular package does gain traction with the user base, there does tend to be a fair bit of code review and contribution which tends to qualify as higjly functional self policing vis a vis security.
zolnox@reddit
VSCode is the WordPress of text editors.
Both WordPress and VSCode are flexible, extensible, and prone to security issues.
klysium@reddit
I tend to use plugins with verified authors but I should go through my list of plugins to be sure.
Extensions like the csv viewer to table extension might be popular but maybe used twice, doesnt need to be installed anymore
InfectedShadow@reddit
You mean authors who paid at minimum $5 for a domain to add to the publisher account for the pretty badge? Probably shouldn't trust them either tbh.
klysium@reddit
Good point. Should get rid of some regardless
ejb503@reddit
Yeh, "discovered". What about the 10's or 100's of others!
totemo@reddit
The majority of comments on this post are missing the point. Commenters are down-playing the severity of the problem, and I have to wonder whether some of those commenters have a vested interest in encouraging complacency.
The article is not click-bait. It mentions one typosquatting extension that was the researchers' proof-of-concept. But the real story is:
Microsoft has not removed all of the malicious extensions reported to them:
There are a lot of dodgy extensions:
The list of malicious extensions is not published, from what I can find. We will have to wait until next week to be able run the researchers' checking tool.
If you deal with valuable intellectual property and you run VSCode, this is really fucking serious.
teerre@reddit
Another point is why a theme is even allowed to do any requests. It's a theme. It's specially funny since its a VSCode theme which doesn't even allow you to customize the look that much. If themes could completely change widgets or something, maybe, but its just colors
JamesGecko@reddit
VSCode themes are extensions, and as such can do anything that any extension can do. And they do! The Monokai Pro theme runs in "trial mode" and requires payment for extended use, for example.
teerre@reddit
I know that's how it is now, but there's no reason it has to be that way. If they want to support buying a theme, they can support it in other ways
ayhctuf@reddit
My guess is because Electron sucks and doesn't allow for proper restrictions and sandboxing. All the more reason to stick to native apps, I guess.
pragmojo@reddit
Yeah probably there should be manual opt-in required to install a plugin which needs certain access, like shell, file system, or network
KevinCarbonara@reddit
I think the dismissiveness you're seeing is from people like me who use VSCode and extensions, but have always treated extensions as if they are potentially insecure (because they quite obviously are) and have stuck to trustworthy extensions.
Character_Ad_6175@reddit
It never occurred to me that VSCode themes could be potentially harmful. I'm using JetBrains though, but for one project I was on VSCode. I guess I'll have to do my due diligence since Microsoft will not. I think what irks me about people like you, is that you aren't even phased by the negligence of Microsoft.
KevinCarbonara@reddit
Why does it bother you that Microsoft doesn't vet other people's extensions, but it doesn't bother you when Jetbrains does the same?
There are probably people irked by your lack of concern of Jetbrains's negligence as well
Character_Ad_6175@reddit
My comment was clumsily phrased, and understandably gave you the impression that I think either case is fine, which I don't.
The last part of your comment is very strange, it sounds like you're saying unless I am an industry expert on cyber security, I can't have an opinion on the security negligence of a Mega Corporation, like Microsoft. Actually, you're even implying I'm some kind of hypocrite for expecting more from Microsoft than I do from myself. Are you mentally ill, or dumb?
binheap@reddit
I think this is still valuable since the security hygiene of most programmers might as well be non-existent.
KevinCarbonara@reddit
If by "this", you mean people investigating the security of extensions and exposing security flaws, I agree 100%. And I mentioned in a separate comment that Microsoft could probably do a lot more than they currently are to ensure security.
But for some reason, people seem to be pushing the narrative that Microsoft is somehow deficient for not putting in significantly more effort than literally anyone else in the field is doing. It hasn't historically been the responsibility of the authors of extensible software to personally monitor all extensions of that software. The entire point of extensions is to allow the community to provide their own solution. This is more a condemnation of the community than of the corporation in this case.
All that aside, I hope this does push Microsoft to remove the more easily abused features of their extension platform. But I also realize that those changes will probably provoke a new wave of criticism about the removed content, much of it likely from the same group currently criticizing them for the poor security of extensions.
totemo@reddit
I'm wary of free lunches in all their myriad forms. The $64,000 question is "how do you evaluate 'trustworthiness'". I consider Microsoft's own extensions to be as trustworthy as VSCode itself.
But after that, what do you do? If you believe in safety in numbers, well 229 million installs spread across 1283 malicious extensions is an average of 178,000 installs. Quite a respectable number and no indication of safety.
Past that, it's up to you to look at the code, but Microsoft doesn't even guarantee that the GitHub link on the extension page matches the deployed code. That's utterly negligent.
NeverComments@reddit
A manifest detailing required extension permissions would go a long way too, too. If a color scheme is requesting unrestricted read/write permissions to your filesystem then users can make a more informed decision beyond blind trust or reading the source of the extension directly.
FlangerOfTowels@reddit
Agreed. Some of the comments are outright ridiculously dumb.
Wouldn't be surprised if some of the people invested in the VSCode malware are trying to run interference. If so, they kind of suck at it.
FancyASlurpie@reddit
I would say any large company that just allows any developer to install arbitrary extensions has this risk, there's a reason why the only extension my company allows is their internal extension marketplace that vets all the extensions on it.
CyAScott@reddit
I could see this as a problem for someone who is working solo on a project, but for an organization this likely is not as bad. Every company I worked for, every bit of software (including plugins) needs to be vetted before it can be used. We vet of license issues, is actively supported, does the company that made the software have a good relationship with their users, etc.
aubd09@reddit
edaroni@reddit
What fkn extension? Man I hate these posts…
smirkjuice@reddit
Darcula
Manbeardo@reddit
Wait, isn't Darcula a common name for unaffiliated themes that are made to look just like Dracula? Similar to how Meslo is the free lookalike of Apple's Menlo font.
Eurynom0s@reddit
I was going to say I thought it was "Darcula" and specifically thought it was specifically a "dark/Dracula" pun.
Chisignal@reddit
IntelliJ's default theme is called "Darcula". I have no idea why nobody has mentioned it yet.
AmateurHero@reddit
I thought that I had a false memory for a second, because no one was bringing up the IntelliJ theme. Then I did a web search for Darcula theme in IntelliJ. The first two entries are for plugins. But then the third result:
Chisignal@reddit
Oh okay then, but still, Darcula used to be the default theme for most of IntelliJ's history then haha
Eurynom0s@reddit
Okay yeah that's definitely where I got it from then, it's the default PyCharm theme too.
Cobalt129@reddit
More Microsoft incompetence with security, this isn't a surprise tbh
thrwawy324531@reddit
it's crazy to me that a multi-billion dollar company barely has any moderation (if any) on user created plugins
Zulakki@reddit
its tricky, do you want customization or regulation?
scandii@reddit
I mean, read the article.
this is going to sound extremely dismissive but I just want to make it clear that these marketplaces, no matter the company, is ripe with malware-esque applications. that said some dudes created a plugin with a similar name as a popular one that sends some minimal telemetry back home. that's it.
this obviously gets past Microsoft's threat detection because everyone and their grandmother collects data.
when someone mistakenly downloaded their pretty harmless plugin they successfully infected the organisation.
then they set up a pretty fuzzy list of criteria why other apps are a threat including but not limited to hard coded IP:s and the fact that plugins execute other binaries, which is fair but also just how many plugins work. also some amateurs left secrets in their source code.
and that's about the entire article.
ZurakZigil@reddit
it's a theme. why does a theme send any data back
lets-start-reading@reddit
why would a plugin have access to system resources? why would a multi-billion dollar company multi-million user application not sandbox it?
pragmojo@reddit
It's not as easy to sandbox coding extensions as something like a website. By their very nature, a lot of extensions will need things like shell access or file system access.
Probably there could be better fine-grained access control over what is allowed, but software development by nature is a fairly system-heavy pursuit.
Glebun@reddit
This is a solved problems - Github even provides hosted VS Code environments via their Codespaces offering.
pragmojo@reddit
Moving all software development to the cloud, and treating it as something which individuals can't or shouldn't do on their own computer is a way bigger problem
Glebun@reddit
How so? We're talking about a multi-billion dollar company, not individual independent devs
Fuyboo@reddit
he is saying your idea of treating VScode users like children and decide what they or aren‘t doing on their pc is incredibly stupid, but in a nice way
Glebun@reddit
Have you ever worked in a multi-billion company? They issue you a laptop where you don't have admin access to prevent stuff like this.
Chii@reddit
of course it shouldn't be sending back data. But as malware goes, it's the least worst thing. Imagine a keylogger instead, or a remote execution exploit injector etc.
Obviously, it's still malware whether it's "harmless" or not.
I think extensions need security built in, similar to how a browser has some security built in (against sites, like cross site origin permission, and http-only cookies etc).
ZurakZigil@reddit
right. but what I meant was a constant connection is obviously suspicious in that case.
scandii@reddit
...a theme is a plugin like any other, all plugins can send data anywhere. collecting basic system info is called telemetry but you guys want to call it malware. pretty much every website you ever visit is infected with similar "malware" called Google AdSense.
what I'm getting at here is that what their software did is so bog standard in the industry that I am genuinely baffled that anyone interprets it as malware. you will be hard pressed to find software that doesn't call home for one reason or another, be it login, news feeds or updates.
Frumberto@reddit
You’re completely missing the point.
No one thinks the researchers used malicious code.
scandii@reddit
how is it an oversight by Microsoft that they allow industry standard features on their platform?
Hektorlisk@reddit
It's funny how you explicitly lay out how insane the status quo is and then come to the exact opposite conclusion that it all points to.
pragmojo@reddit
MS themselves are actually one of the worst offenders here. I avoid MS products as much as possible with how much "telemetry" they send back, and how often they "forget" user settings to disable it
TrainsDontHunt@reddit
Of the great sentences, there is obviously, "The Angels have the Police Box."
But second place must be, "Some amateurs left secrets in their source code."
NuGGGzGG@reddit
It's open source.
ZurakZigil@reddit
uh... yes? And who hosts the plugin store?
NuGGGzGG@reddit
Why would the moderate an open source store?
ZurakZigil@reddit
the store is not open source dude. the app is. they host the store. they could at least monitor the most popular apps and look at suspicious activity like themes that use a constant connection for some reason.
as much as it's an open source app, it is also a platform for them to sell services. so they make money on it
NuGGGzGG@reddit
Yes it is. https://github.com/microsoft/vscode/tree/main/extensions
They could also scan all the 3rd party extensions for anything - but you haven't demonstrated why they should. They made an open source editor with the ability for you to examine every single bit of whatever extension you want to install - and you're saying they need to monitor it? If you're using third party software - don't you look at it?
I'm I just old as shit? When did look at the source become a non-starter?
Here are all the Microsoft Extension Licenses: https://code.visualstudio.com/docs/supporting/oss-extensions
What you're asking Microsoft to do with every single 3rd party extension submitted - is to examine it entirely to ensure it holds up to (what standards?) on monthly updates - when they're actively giving the software away for free?
You know what I've never been hit with? A "buy this" popup or notification in VSC.
You know why? It's because while Microsoft may maintain the sole managed of a project - they aren't actively making buy anything to make it work. Nothing about this text editor is P2P.
Which part of VSC is a "platform to sell services?" Can you show anything? Their download page doesn't even have a "pricing" link on it. It's free. They're actively giving it away on PC/Linux (fuck yeah)/macOS. What Microsoft products have you been incentivized to purchase because you use VSC?
binheap@reddit
A fair number of extensions aren't fully open source (e.g. Pylance). This isn't to say Pylance is dangerous, but I'm pretty sure it's at least not always feasible. You can avoid non OSS code, but it's also not really feasible or practical from a security to perspective for every individual to manually check every extension. It simply doesn't occur. We've seen the exact same behavior in npm where malware gets introduced.
I think VSC has some pretty tight integrations with GitHub by default no? Certainly if you open a directory, the SCM side panel asks if you want to upload to GitHub and integrate VSCode with your GitHub account. The download page also promotes Azure. It's not the most aggressive upsell but it is an upsell. Not everything is an explicit price which is the whole point.
Shoox@reddit
Do you think it's unreasonable to force Meta to moderate Facebook? Doesn't Google have to check the videos that are uploaded to YouTube? As a platform provider you have to moderate your platform. It wasn't always that way but nowadays it is.
I mean, it's kinda easy for MS to do just that: Make a restricted store with only trusted partners and verified code. Additionally, make an option to also allow "insecure third party". Include that into AD so enterprises can force restricted mode only. I really don't know why they haven't done that already.
Money, although very important, is not the only thing that is of value to Microsoft. Just checkout why VSCodium exists. If you are not paying for the product you are the product.
HelloIamGoge@reddit
Vscode is open source in the same way chrome is. Chromium technically is, chrome not. Most products that people use of vscode is highly commercialised
PapaOscar90@reddit
No that would be too Apple-like to enforce standards.
ItsMexxie@reddit
All of the other issues aside, isn't that IP in the code beautifying snippet in a private address range? Wouldn't that just send data to some local server?
pyeri@reddit
I knew this was a disaster waiting to happen. Around the time of COVID lockdown, there was this massive social campaign pushing and singing praises of VSCode, a whole ecosystem was being readied for this. If the overall install base of a product increases, so will the attack vector of a plugin.
pragmojo@reddit
I agree that the dominance of VSCode is a problem. MS has too much influence over the developer ecosystem with VSCode and Github - I choose alternatives whenever possible.
Picorims@reddit
They also own npm and TypeScript when it comes to web.
pragmojo@reddit
Huh I didn't realize they own npm - at least yarn is an alternative, but that's meta as well so it's not that much better.
I'm secretly hoping wasm gets complete enough API's to replace the js ecosystem in the next 10 years and we can leave the mess which is js development in the past.
pyeri@reddit
What some of my wise friends do is head over to unkpg.com and download whatever individual packages they want. Avoid total dependency on the actual npm packager if possible.
JamesGecko@reddit
I mean, it's a great editor. Popular things become targets. Doesn't mean folks shouldn't have recommended it; there was no way to know that one of the biggest software companies in the world would drop the ball on security this badly.
GetPsyched67@reddit
Really silly dooming. People use pointless fear mongering like this to tell us why iOS has to be locked down as well. Just be careful with what you install
KeppraKid@reddit
Is it weird that I use almost no extensions when using VSCode?
Mikkelet@reddit
Wasnt this also the problem with NPM and why a lot of devs switched to Yarn?
popiazaza@reddit
Not really the main reason to use Yarn, it's mostly how node_modules is managed, for speed and some deps conflict problems.
A lot of devs actually switch back to npm (or pnpm to save disk space).
EvandoBlanco@reddit
I was going to make an "npm as an editor" joke.
smallballsputin@reddit
Vscode is the justin bieber of editors.