Zero-Day in GitHub.dev Exposes OAuth Tokens, Threatening Private Repositories
What Happened – A newly discovered zero‑day vulnerability in GitHub.dev (the browser‑based VS Code environment) enables a one‑click attack that harvests GitHub OAuth tokens from developers’ browsers. Stolen tokens grant attackers read/write access to private repositories and any services that trust the token.
Why It Matters for TPRM –
- Direct exposure of proprietary source code can cascade into supply‑chain compromises for downstream customers.
- Unauthorized token use bypasses traditional perimeter controls, undermining existing third‑party risk assessments.
Who Is Affected – SaaS platforms and development teams that rely on GitHub for code hosting, CI/CD pipelines, and API integrations (primarily technology and software vendors).
Recommended Actions –
- Instruct all vendors and internal teams to rotate GitHub OAuth tokens immediately.
- Apply any patches or mitigations released by GitHub and enforce token‑scope least‑privilege.
- Enable continuous monitoring for anomalous token activity and enforce MFA for GitHub accounts.
- Re‑evaluate third‑party risk scores for any suppliers that depend on GitHub‑hosted code.
Technical Notes – The flaw exploits a client‑side mis‑validation in the GitHub.dev webview, allowing malicious pages to capture OAuth tokens via a crafted URL. No CVE number has been assigned yet; the vulnerability is classified as a zero‑day exploit. Affected data includes OAuth bearer tokens, repository metadata, and any code or assets accessible through those tokens. Source: TechRepublic Security