Comment by mentalgear

16 hours ago

> I think one key detail is that all malicious extensions were masquerading as "themes". Creating a permission system would mitigate that, where a theme should only have permission to change visual attributes of VsCode.

upvote here: https://github.com/microsoft/vscode/issues/52116#issuecommen...

VsCode and other IDEs have basically no permission system (spoiler alert: Browser Extension permission system is also weak).

People like myself and many others have called this out over the years, but Micro$lop and others just didn't act at all - at least there's some irony in that they were hacked by way of their own unsecure permission architecture.

3 comments

mentalgear

mentalgear 16 hours ago

PS: People would be best to run your IDE Extensions in devcontainers only ... also better put VSCode in a VM as well.

technion 16 hours ago
The problem with all these permissions ideas: VSCode in most cases is expected to be able to push to a git repo. Many developers these days use it over the CLI for pushes and pulls.
So if it has a "minimal" set of access, it has access to a Github key. That's enough.. to do this sort of damage.
- mentalgear 15 hours ago
  
  Indeed, we must ensure to scope our GH keys per repo then.