Weak secret encryption **without user consent**

[datosh]

Does this issue occur when all extensions are disabled?: No, as this needs the extension to interact with the secret mentioned.

This was initially reported via MSRC as VULN-130974, but closed "as a non-MSRC case".

• VS Code Version: 1.91.0
• OS Version: MacOS (M3) Sonoma 14.5

When I set up my new MacBook Pro (M3) with Sonoma 14.5, I downloaded VSCode 1.91.0 and installed it.

VSCode then prompted me to "Sign in to use GitHub Copilot.", as far as I know this originates from the "vscode.github-authentication" extension.

When I follow the browser based login, a new secret is created in $HOME/Library/Application Support/Code/User/globalStorage/state.vscdb which uses the prefix v10 and is therefore encrypted using the "peanuts" password. There was no prompt in VSCode to get my consent to store the secret using a weaker encryption method.

This one liner can be used to detect if secrets are stored using the weak v10 form (118,49,48 is v10 in ASCII):

sqlite3 "$HOME/Library/Application Support/Code/User/globalStorage/state.vscdb" "SELECT value FROM ItemTable WHERE key LIKE 'secret%';" | grep "118,49,48" -o

This one liner can be used to delete all secrets using the weak v10 form (I used to this to force a re-authentication flow):

sqlite3 "$HOME/Library/Application Support/Code/User/globalStorage/state.vscdb" "DELETE FROM ItemTable WHERE key LIKE 'secret%';"

To verify that the "peanuts" password was used:

1. fetch the value of the secret in state.vscdb
2. strip the v10 prefix
3. Use AES-CBC with the following inputs:
   • key = "fd621fe5a2b402539dfa147ca9272778" as it is the static output of PBKDF2("peanuts", "saltysalt", iteration=1, hash=SHA1)
   • IV = 16 * 0x20

As this decrypts fine (no padding error) I assume this validates the static password was used (together with the v10 prefix).

I was able to confirm that a secret called Code Safe Storage is available in my keychain, but somehow is not used to encrypt the generated extension secret.

I was able to get verification from two colleagues that they also have v10 secrets on their MacOS machines.

The vscode.log is attached as described at https://code.visualstudio.com/docs/editor/settings-sync#_troubleshooting-keychain-issues

[VSCodeTriageBot]

Thanks for creating this issue! It looks like you may be using an old version of VS Code, the latest stable release is 1.91.1. Please try upgrading to the latest version and checking whether this issue remains.

Happy Coding!

[TylerLeonhardt]

@datosh your log didn't have the verbose logs which typically means you didn't kill VS Code entirely before launching with the extra flags.

this may be an electron bug (which we can address)... but let's rule out VS Code itself. Can you:

• Open the Command Palette
• Run the Developer: Set Log Level... command
• To the right of Trace, click the double check mark button. ✔️ ✔️ (enables trace logging as the default)
• Quit VS Code completely
• launch VS Code this way: code --verbose --vmodule="*/components/os_crypt/*=1"
• Open the Output pane (cmd+shift+u)
• In the drop down, choose Log (Main) and share with me the contents
• Also share with me the contents of the terminal that you ran code in

To reset the log level back

• Open the Command Palette
• Run the Developer: Set Log Level... command
• To the right of Info, click the double check mark button. ✔️ ✔️ (to set the default back to info)

[vs-code-engineering[bot]]

This issue has been closed automatically because it needs more information and has not had recent activity. See also our issue reporting guidelines.

Happy Coding!

[vs-code-engineering[bot]]

This issue has been closed automatically because it needs more information and has not had recent activity. See also our issue reporting guidelines.

Happy Coding!

[datosh]

Hey @TylerLeonhardt, sorry for the late reply.

I followed your guide and attached the logs. Please let me know if anything else is required.

vscode_output_log_main.txt