Just by clicking a link, it’s possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones. Table of Contents Background VSCode Webview Security Model The Bug PoC and Protecting Yourself What VSCode Did Well Why Full Disclosure Timeline Background Did you know GitHub has this really cool feature called github.dev? On any repository you have access to, if you can change the url from github.com to github.dev or you click this little menu item: You’...