A critical security vulnerability in VSCode's webview implementation allows attackers to steal GitHub tokens with a single click, potentially compromising access to private repositories. The bug affects the github.dev web-based editor, which uses OAuth tokens with broad permissions. The researcher responsibly disclosed the issue, and VSCode has since patched the vulnerability.
Background
VSCode's web-based editor github.dev uses OAuth tokens to provide repository access, but these tokens have broad permissions across all user repositories. The webview implementation in VSCode was found to have a security flaw that could be exploited to steal these tokens.
- Source
- Lobsters
- Published
- Jun 3, 2026 at 08:22 AM
- Score
- 9.0 / 10