Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

GIANT SECURITY HOLE: Settings Sync captures contents of open files and its history

See original GitHub issue

🐛 Describe the bug
A clear and concise description of what the bug is. You are always welcome to check the Troubleshooting section before filing the ticket.

🌴 Visual Studio Code Version : v1.66.2 🌴 Code Settings Sync Version : v3.4.3 🌴 Standard or Insiders : Standard 🌴 Portable or Installed : Installed 🌴 OSS or Official Build : Official 🌴 Operating System :
🌴 Occurs On: Upload 🌴 Proxy Enabled: No 🌴 Gist Id:

An automated sync uploaded the contents of a git ignored tab which contained secrets to a public gist.

Previously settings sync only uploaded extension list, vscode settings, keybindings. But it seems it now captures UI state including the contents of open tabs. This is a huge security hole.

The files are named History|-46774cc7|entries.json, History|-46774cc7|entries.json e.t.c

It seems this plugin is capturing not only the current open tabs but also the undo history of the file. The gist is massive and contains so much sensitive information.

Please fix this.

📰 To Reproduce Steps to reproduce the behavior:

Open a file with secrets.
Upload to settings. The contents of file will be synced to public gist.

💪 Expected behavior Only sync settings. Not the files users have open in VSCode.

📺 Additional context

Issue Analytics

State:
Created a year ago
Reactions:20
Comments:9

Top GitHub Comments

14reactions

Diogo-Rossicommented, Jun 13, 2022

This could solve:

    "ignoreUploadFolders": [
        "sync",
        "workspaceStorage",
        "History"
    ],

10reactions

maxweisspokercommented, May 29, 2022

For those who can read and are able to use the search functionality: browse the repo issues, that is NOT a “giant security hole”. Please update the title, as it is misleading or at least do a little research beforehand.

#1341

Uploading user files is absolutely a giant security hole. It’s not Settings Sync’s fault, but it’s definitely a security problem that needs to be address in the next update.

Top Results From Across the Web

1116444 - Security: Extensions can capture contents of local ...

Issue 1116444: Security: Extensions can capture contents of local files ... The extension can then capture the contents of the nested frame using...

Settings Sync in Visual Studio Code

Settings Sync lets you share your Visual Studio Code configurations such as settings, keybindings, and installed extensions across your machines so you are ......

Computer Security Incident Handling Guide

This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This ...

Configure and Capture Embedded Packet on Software - Cisco

This document describes the Embedded Packet Capture (EPC) feature in Cisco IOS® software.

Learn about content credentials - Adobe Support

Content Credentials (Beta) is a developing feature in Adobe Photoshop for creators to add their attribution details to their exported images ...