The extension marketplace for source code editor Visual Studio Code makes it easy for attackers to provide fakes of regular extensions. Security researchers at Aqua Security, a company specializing in cloud-native security, have released an extension masquerading as the popular code formatting tool Prettier. Within two days it had over 1000 downloads.
The free editor Visual Studio Code, which is based on open source, is very popular not least because of its easy expandability. Numerous free extensions cover a wide variety of areas, from the connection to programming languages to auxiliary tools for debugging and testing to integration with containerization tools.
Some extensions bring downloads in the tens of millions.
Typed on typo
As with the package managers npm or PyPI, the abundance of options is both a strength and a weakness. It’s difficult to tell right away whether an application is doing what it’s promised or is possibly doing harm. Packages with malicious code on npm and Co like to disguise themselves as regular packages and rely on techniques such as typosquatting or brandjacking.
The latter uses company names to spoof a legitimate source. With typosquatting, malicious code packages are given names similar to popular packages. On the one hand, the method relies on typos and, on the other hand, uses separators such as underscores and hyphens. Someone will make a typing mistake, so the legitimate hope of the attackers.
also read
The Aqua-Security team also used typosquatting for their proof of concept and released an extension masquerading as the Prettier code formatting tool. The original has over 27 million installs. While it esbenp.prettier-vscode that is, the forgery simply dispenses with a “t” and becomes esbenp.pretier-vscode.
More appearance than reality
The trick is that the landing page doesn’t reflect the typo. It can be freely designed so that the fake Prettier shows both the logo and the correctly spelled name. A comparison of the two project sides only shows the deviations in detail.
At first glance, the fake looks like the original.
The icon, name, publisher and description are identical. The Visual Studio Code marketplace allows free choice over the property displayName for the displayed names of the project and the publisher and allows duplicates for both. The fact that the names differ by a “t” can only be seen in the URL and in the additional information below the project details.
Two clear differences stand out in the direct comparison: The number of installations in the original, at 27 million, is in a completely different dimension to the 1,500 installations of the fake. The numbers of the ratings also differ significantly.
Deceptive project details
The marketplace also offers simple ways of concealing the project details. The associated GitHub repository can be specified at will, so that the fake can simply display a link to the original repo here. The associated information about the pull requests and the most recent commit also does not help to identify the fake.
The project details can be manipulated, but revealing details can be found under “More Info”.
However, the dates of the first publication and the most recent update under “More Info” cannot be adjusted manually. A look at the additional information in the unique identifier as well as the URL shows the changed name.
Spread quickly
The proof of concept was all about how easy it is to publish a fake extension. The would-be Prettier did not contain any malicious code, but sent a ping to the research team, who used it to trace the geographical distribution. Two days after the release there were a good 1000 installations spread across the globe.
The installed extensions reported via a ping.
The researchers have not investigated whether malicious code can be distributed just as easily. Microsoft gives in the Marketplace FAQthat it subjects all extensions to a virus scan. This applies to both new extensions and updates.
However, detecting malicious code is not trivial. A Visual Studio Code extension has the same rights as the associated user. An extension that modifies files or establishes an Internet connection can certainly be a desired feature. As an example of malicious code, the Aqua Security blog lists a presumably non-malicious but careless extension from the marketplace that receives code (from its own domain) over HTTP (without S) and via the command eval that should actually be taboo.
Verified but…
The blog post on the proof of concept mentions another aspect of deceptive security, even if the test run did not do this: The blue tick that marks a publisher as verified only means that he was able to prove that he owned a domain. Apparently, this can be any domain. Irrespective of this, the publisher name and GitHub repository can be set as desired, as in the proof of concept. At least the Marketplace FAQ states that Microsoft is actively checking for name squatting from official publishers “like Microsoft and Red Hat”.
Let more details can be found on the Aqua Security blog.
(rm)
