4/6 | Introducing ExtensionTotal: How to Assess Risk in VS Code Extensions
In the previous blog post “3/6 | A Letter to Microsoft: Uncovering Design Flaws of Visual Studio Code Extensions”, We addressed a letter to Microsoft, touching all the security design flaws we’ve found in Visual Studio Code extensions and the marketplace.
We decided to create a community tool to help assess the risk of VSCode extensions to provide a way for organizations to mitigate this risk today.
But, before we introduce our solution lets recap the risk of VSCode extensions.
The Risk
As reviewed in the previous research blogs, Visual Studio Code (VSCode) extensions were ultimately designed with the lack of foundemental boundaries. They can execute arbitrary code, spawn child processes, and access system resources without any limitation and with a lack of any permission model. Meaning users have zero visibility on what actions extensions perform. Furthermore, the VSCode Marketplace has minimal controls, enabling malicious extensions to easily gain credibility and exposure to developers to the point where our research extension (As discussed in our first blog post) reached thousands of developers and multiple multi-billion dollar market cap companies, including one of the biggest cybersecurity companies in the world, without any solicitation or major effort from us. These issues pose a significant threat to organizations worldwide.
Introducing ExtensionTotal
ExtensionTotal, inspired by VirusTotal, AppTotal, and other PLG security tools, is the solution we created. ExtensionTotal is a web tool that, given an extension name, ID or URL, can assess the risk of the extension being malicious.
We unpack and dive deep into the extension, sandboxing & running vulnerability checks on the code and its dependencies, gathering data about the publisher background, monitoring if the extension communicates externally, checking for leaked secrets, and even providing code insights using AI to understand what the code is built to do.
We’ve built ExtensionTotal in a month and are happy to share it with you and with the world, hopefully we’ve done our part to make it a little safer.
How does it work?
ExtensionTotal continuously analyzes extensions listed on the VisualStudio Code marketplace. Each extension is unpacked, hundreds of attributes are extracted, enriched, and factored into a risk score.
You can search any extension that is or was live on the VSCode Marketplace and get a comprehensive report including a factored risk score, findings, and breakdown on the risks associated with the extension.
Let’s explore the report of “Darcula”, the research extension we have initially created to assess the vulnerabilities in the VSCode universe.
In the report you can immediately get a quick look at the risk score we have calculated for this extension (high), and along side it the main findings that got us to this risk score.
Right away you can see two interesting findings. The first being Impersonating an Extension, this means we’ve found a more popular and older extension that is extremely similar to this extension by comparing the name, domain, descriptions, code, and more. The second red flag here is Theme Running Code, as themes in VSCode are only JSON or YAML files, they usually do not run code and we found that this extension has code activation events and a main JS file.
Lets dive deeper into the report.
In this section we can see two interesting things, firstly if this extension communicates with the outside world, and secondly which VSCode APIs it calls. As you can see ExtensionTotal found that “Darcula” uses Retool, a strange thing to see, and additionally it acesses the workspace.openTextDocument API which allows reading the source code opened in VSCode. Both should raise a flag as this extension, again, is only a theme.
Finally for this specific extension, the last section provides an custom LLM based overview of the extension’s code and it even highlights potential malicious activity!
Do you know what extensions are installed in your organization?
We’ve built ExtensionTotal with over 40+ different findings and 200+ indicators. ExtensionTotal helped us find and report super risky and interesting extensions on the VSCode marketplace to make it a better and safer place.
To make this tool useful for organization usage we wrote a quick Jamf script that by deploying on each endpoint, lists all extensions installed on VSCode and runs them through ExtensionTotal to find the risk score of all extensions inside the organization.
Additionally we’ve actually developed an extension for VSCode that continuously scans all your installed extensions for risky activity and alerts you if / when it founds one. View it on the VSCode marketplace here.
And we are actually trending on the Visual Studio Code Marketplace!
So, where are we headed now?
We’ve built ExtensionTotal as a free community tool and as a result of our research —
1/6 | How We Hacked Multi-Billion Dollar Companies in 30 Minutes Using a Fake VSCode Extension
2/6 | Exposing Malicious Extensions: Shocking Statistics from the VS Code Marketplace
3/6 | A Letter to Microsoft: Uncovering Design Flaws of Visual Studio Code Extensions
We enjoyed building ExtensionTotal in the past month, and are set on finding interesting and aching problems in the cybersecurity space to help CISOs sleep better at night.
If you’d like to chat, schedule a call with us here, we’d love to learn more about what brought you here and explore your cybersecurity thoughts and dreams, who knows, maybe we can make yours come true one day.
We will be continuing to post a few more blog posts specifically how to mitigate this issue in your organization and some recommendations of how to handle risky extensions, stay tuned.
