Security and Privacy of VSCode extensions

shekhar picture shekhar · Nov 21, 2017 · Viewed 7k times · Source

I see that VSCode has a lot of nice extensions. I am however concerned if those extensions are sending my code to any of their servers. Is there any way to find out? I could use fiddler and isolate calls that might be happening from the plugin - but don't want to be doing that for each and every extension that I install. Is there some guidance from VScode team on this?

Answer

herrbischoff picture herrbischoff · Nov 24, 2017

If you are paranoid about what kind of data (if at all) your installed applications/plugins send and where to, you will first have to inspect the plugin source code line-by-line, followed by the setup of a kind of man-in-the-middle proxy server that's logging every network transaction. There is a tool fittingly called mitmproxy that is for example used in iOS network forensics or really all closed devices you cannot readily peek into: https://mitmproxy.org

This is laborious work as you will have to sift through tons of connection data. The upside is that in the end you will know exactly what kind of data is sent where, even through SSL-encrypted communication. mitmproxy can place itself between those connections as well — after some initial setup.

Other than that you can only set up a personal firewall or (depending on your OS) set up a full firewall set, blocking all but manually approved connections.

In the end, it all depends on what your threat level is, as it is called in the security industry. If you have exceptionally high operational security requirements, you shouldn't be connecting to the internet at all from the machine you are handling sensitive information with, using an air-gapped machine instead, physically transferring data from one to the other, setting up several additional safeguards such as intrusion detection, heuristic scanning and physical access limitations.

However, this kind of security overhead is usually overkill. If you install highly-rated and popular plugins, you are probably good to go as the laws of big numbers dictate that the probability of nefarious behavior will get detected vastly more easily the more people are participating.

Security is a highly complex and dynamic task that you will either have to do yourself or pay someone to do it for you. Also, it's a numbers game, or one of deterrents. There is no 100% secure anything. Given enough time and resources, anything can be compromised. The game is to make it harder to compromise a target than the possible gain of successfully doing so would be. An open source project that's not squarely developed as a security solution (even from a giant like Microsoft) cannot be expected to do this security review for you for free.

Update: As VSCode becomes very popular, the issue of evil plugins arises. This is the same issue as with any plugin architecture (like WWW browsers) or public package managers (like npm). When there are no formal, automated and manual security reviews (like Apple's App Store — and despite their massive manpower they slip up from time to time) , from an information security standpoint, all those systems are potentially toxic. It is also possible that a popular extension gets sold and/or changes owner, followed by an injection of bad code. This has happened multiple times for browser plugins and npm packages. Extensions are a considerable attack vector, especially for the enterprise. Developers often have far wider access to the network infrastructure and services than a regular user does and run software with higher privileges on their machines.

In conclusion:

I could use fiddler and isolate calls that might be happening from the plugin - but don't want to be doing that for each and every extension that I install.

I'm afraid that's exactly what you would have to do for the time being.