GIANT SECURITY HOLE: Settings Sync captures contents of open files and its history

[nojvek]

🐛 Describe the bug
A clear and concise description of what the bug is. You are always welcome to check the Troubleshooting section before filing the ticket.

🌴 Visual Studio Code Version : v1.66.2 🌴 Code Settings Sync Version : v3.4.3 🌴 Standard or Insiders : Standard 🌴 Portable or Installed : Installed 🌴 OSS or Official Build : Official 🌴 Operating System :
🌴 Occurs On: Upload 🌴 Proxy Enabled: No 🌴 Gist Id:

An automated sync uploaded the contents of a git ignored tab which contained secrets to a public gist.

Previously settings sync only uploaded extension list, vscode settings, keybindings. But it seems it now captures UI state including the contents of open tabs. This is a huge security hole.

The files are named History|-46774cc7|entries.json, History|-46774cc7|entries.json e.t.c

It seems this plugin is capturing not only the current open tabs but also the undo history of the file. The gist is massive and contains so much sensitive information.

Please fix this.

📰 To Reproduce Steps to reproduce the behavior:

1. Open a file with secrets.
2. Upload to settings. The contents of file will be synced to public gist.

💪 Expected behavior Only sync settings. Not the files users have open in VSCode.

📺 Additional context

[maxweisspoker]

Yeah, I'm also seeing this, although the history files simply list the file name, not its contents. Still, this is bothersome. I hope they update this to allow disabling of these history files. It's also causing a continual sync, since the history files are changed on every save, which causes Settings Sync to notice and sync every save.

[nojvek]

I had a public gist with the contents of my open tabs that I definitely didn't want to be synced. I've deleted the gist but I can still repro this in a private gist.

This is bad. Like really really really bad slurping the contents of the user's open tabs and it's undo history.

[femto-code]

For those who can read and are able to use the search functionality: browse the repo issues, that is NOT a "giant security hole". Please update the title, as it is misleading or at least do a little research beforehand.

1341

[maxweisspoker]

For those who can read and are able to use the search functionality: browse the repo issues, that is NOT a "giant security hole". Please update the title, as it is misleading or at least do a little research beforehand.

1341

Uploading user files is absolutely a giant security hole. It's not Settings Sync's fault, but it's definitely a security problem that needs to be address in the next update.

[robault]

Just setting up VScode and saw the settings wanted Github access from this user's account. After seeing this issue, I declined and will not be using settings sync. The problem is the potential for me to forget this behavior exists. If at any point a bug is found in VSCode when setting gists as "secret", then any code can be exposed publicly on GitHub. It's just too risky, sorry.

[jahirfiquitiva]

I'm also seeing this and have many files like that. These should not be part of the gist 🤦

[jahirfiquitiva]

This solution worked, btw: https://github.com/shanalikhan/code-settings-sync/issues/1341#issuecomment-1094088898

[Diogo-Rossi]

This could solve:

    "ignoreUploadFolders": [
        "sync",
        "workspaceStorage",
        "History"
    ],

[Mayurifag]

Sorry for my arguing, guys, thats not the thing I had to share, specially in github issues.

I don't check my gist too often, but my mac made a kernel panic with its lid being closed (yea, lol) and f&cked up with some of my configuration files, replaced them with aliases. VsCode was not an exception.

So I had to start by scratch, went into gist.github.com and... MAN WHAT THE F*CK!?!?!?!??!?! Entire gist with settings was not be able to be opened fine like months ago. And it was spammed with these history files.. All kinda private things and stuff..

Well, okay, people make mistakes sometimes, I understand. Though, why non of developers made a critical announcement on update about what happened and what to do next?? That blows my mind.

[ederparaiso]

Any updates about this?

[yuu-eguci]

I too fell into this giant security hole. Here's how I think the problem happened.

• Settings Sync uploads "user settings" to public GitHub gist. "User settings" contains only font size, shortcut settings and so forth, so there is nothing wrong with that.
• Visual Studio Code, from v1.66 (March 2022), began automatically including the contents of tabs in the "user settings".
  • https://code.visualstudio.com/updates/v1_66#_local-history
• Visual Studio Code + Settings Sync now "uploads tab contents to GitHub gist without user's permission".
• Issues #1341 and #1348 were created (~ May 2022)
• Pull request #1358 merges a commit that Settings Sync ignores Visual Studio Code behavior (Oct 2022).
• But this is not released. Too bad, because if this had been released, I would not have fallen down the hole.
• Settings Sync is labeled as deprecated in Visual Studio Code. (Today)

I could think of nothing else to do but uninstall Settings Sync and use official "Visual Studio Code Settings Sync". (Why does it have the same name?)

https://code.visualstudio.com/docs/editor/settings-sync

Sorry for the long post.

[dghez]

22.05.2023, had the same issue, my activity monitor had like 6 tasks called code-insider helper (plugin) with CPU around 100% all. Disabled and uninstalled the extension (since it's now implemented in vscode) and so far everything looks back to normal

[Diogo-Rossi]

I posted a link to an alternative here #1429.