What Happened on June 2nd
On June 2, 2026, security researcher Ammar Askar publicly disclosed a critical, unpatched zero-day vulnerability in Visual Studio Code's webview implementation. This vulnerability allows an attacker to steal GitHub OAuth tokens. The primary target is the browser-based github.dev, but with additional user interaction, the desktop version of VS Code is also vulnerable.Ammar Askar's decision for full public disclosure, rather than private reporting, was influenced by prior negative experiences with Microsoft's Security Response Center (MSRC), a sentiment echoed in broader discussions within the security community regarding vendor responsiveness. As of today, June 3, 2026, Microsoft has not issued an official patch or a CVE for this vulnerability.
How a Single Click Gives Away Everything
The attack chain is direct: an attacker crafts malicious content within a VS Code webview, which could be a deceptive link or embedded content. When a user, perhaps reviewing a pull request or interacting with a legitimate-looking extension, clicks on an element within that webview, that single action triggers the vulnerability, allowing the malicious webview content to exfiltrate the user's GitHub OAuth token.The core technical issue identified is the lack of CSRF tokens on github.dev. This absence simplifies the attacker's ability to trick the browser into performing actions on the user's behalf.
The critical aspect, however, is the scope of these stolen tokens. These are broadly permissioned GitHub OAuth tokens, granting full read/write access across all user repositories. This type of credential access falls under MITRE ATT&CK technique T1552.006, which focuses on credentials stored or accessible via web browsers. An attacker with such a token gains full control over the victim's entire GitHub presence. They can clone private repositories, push malicious code, delete projects, or inject backdoors into open-source projects maintained by the victim.
This contrasts with GitHub Codespaces, which by design, uses more secure, scoped tokens. The incident highlights that github.dev lacks the same level of granular permission control, representing a fundamental architectural flaw.
The Impact: Unrestricted Repository Access
The practical impact is significant: any attacker with one of these stolen tokens can impersonate the victim on GitHub. This enables several critical attack vectors: code theft, providing access to all private repositories; code tampering, allowing injection of malicious code into existing projects, including widely used open-source libraries; supply chain attacks, where a compromised account used for CI/CD pipelines could trigger builds with malicious changes; and reputation damage, through defacing repositories or publishing harmful content under the victim's name.The concern extends beyond the compromise of a single project; it encompasses a complete loss of control over one's development identity and the potential for widespread compromise of downstream users. The unscoped nature of these tokens transforms the incident from a minor issue into a critical security event.
Mitigation, Architecture, and Rebuilding Trust
Currently, Microsoft has not released a patch; the immediate mitigation for users of github.dev is to clear site data for the domain. This re-enables a warning dialog that might prevent token theft, but it is a temporary workaround, not a permanent fix.Addressing this requires more than a simple patch. It requires rethinking architectural decisions that permit such broadly permissioned tokens to be easily exfiltrated.
Effective CSRF token implementation on github.dev is a fundamental requirement, as the absence of this mechanism was a direct enabler of the attack chain. Furthermore, GitHub should prioritize adopting a least-privilege model for token permissions by default, mirroring the granular scoping already present in Codespaces. Tokens should ideally be restricted to the minimum necessary actions, preventing broad access even if compromised.
Beyond the technical fixes, the circumstances of this public disclosure highlight a systemic issue: the erosion of trust in vendor security response processes. When researchers feel compelled to bypass private disclosure, as was the case here, it indicates a breakdown that impacts the entire security ecosystem. Rebuilding this trust requires transparent, responsive, and consistent engagement from vendors like Microsoft.
The incident highlights how the convenience offered by integrated development environments, particularly browser-based platforms, introduces significant security considerations. The trade-off between convenience and security, particularly when it grants access to an entire codebase, presents an unsustainable risk that demands immediate re-evaluation. The resolution extends beyond a simple patch; it necessitates a fundamental re-evaluation of trust and permission management within development workflows.
