Researcher Drops a New VS Code Zero-Day After Losing Trust in Microsoft’s Disclosure Process
Researcher Drops a New VS Code Zero-Day After Losing Trust in Microsoft’s Disclosure Process
Publish Date: 2026-06-04 05:13:29
Source Domain: securityaffairs.com
A security researcher named Ammar Askar disclosed a zero-day vulnerability in Visual Studio Code (VS Code) publicly after losing trust in Microsoft’s handling of bug reports. Askar found that the vulnerability allows attackers to steal GitHub tokens through a malicious VS Code extension, which then grants them access to both public and private repositories. To achieve this, the attacker modifies the repository’s .vscode/extensions.json file and tricks users into visiting a malicious version of github.dev, which circumvents the usual approval process for extension installations. Askar criticized Microsoft’s MSRC (Microsoft Security Response Center) for its previous practices, noting the lack of credit, the dismissive attitude towards the reported bugs, and instances where reported vulnerabilities were marked as low-severity. He emphasized his frustration with MSRC’s process and decided to openly publish details and a proof-of-concept exploit to push for security improvements. Askar highlighted that this method of forced disclosure was his last resort to influence MSRC’s actions and the overall security posture of VS Code.
Key Points:
– Security researcher Ammar Askar found a zero-day vulnerability in Visual Studio Code.
– The exploit allows attackers to steal GitHub tokens without restrictions to any repository the user has access to.
– Askar criticized Microsoft’s MSRC for past dismissive handling and low-severity markings of reported bugs.
– Askar’s decision to publicly disclose the vulnerability stems from a lost trust in Microsoft’s responsible disclosure processes.
– He believes full public disclosure is necessary to push for stronger security improvements and influence MSRC’s approach.
