Protect Your Secrets: Understanding and Measuring Data Exposure in VSCode Extensions
Yue Liu, Chakkrit Tantithamthavorn, Li Li
TL;DR
This paper addresses data exposure risks arising from cross-extension interactions in the VSCode IDE. It introduces a hybrid automated framework that fuses program analysis (PDG-based data-flow tracing) with NLP (a fine-tuned BERT classifier) to detect credential-related data leakage across tens of thousands of extensions. Evaluated on a large-scale dataset of $27{,}261$ extensions (collected from an initial $48{,}692$), the approach identifies $2{,}325$ extensions ($8.5\%$) with credential exposure across vectors such as global state, configurations, clipboard, and commands, with notably higher risk in AI coding assistants. The findings reveal pervasive security challenges in the extension-in-IDE paradigm and provide concrete mitigation guidance for developers and platform maintainers, including secure storage practices and enhanced vetting, supported by open data and replication resources.
Abstract
Recent years have witnessed the emerging trend of extensions in modern Integrated Development Environments (IDEs) like Visual Studio Code (VSCode) that significantly enhance developer productivity. Especially, popular AI coding assistants like GitHub Copilot and Tabnine provide conveniences like automated code completion and debugging. While these extensions offer numerous benefits, they may introduce privacy and security concerns to software developers. However, there is no existing work that systematically analyzes the security and privacy concerns, including the risks of data exposure in VSCode extensions. In this paper, we investigate on the security issues of cross-extension interactions in VSCode and shed light on the vulnerabilities caused by data exposure among different extensions. Our study uncovers high-impact security flaws that could allow adversaries to stealthily acquire or manipulate credential-related data (e.g., passwords, API keys, access tokens) from other extensions if not properly handled by extension vendors. To measure their prevalence, we design a novel automated risk detection framework that leverages program analysis and natural language processing techniques to automatically identify potential risks in VSCode extensions. By applying our tool to 27,261 real-world VSCode extensions, we discover that 8.5% of them (i.e., 2,325 extensions) are exposed to credential-related data leakage through various vectors, such as commands, user input, and configurations. Our study sheds light on the security challenges and flaws of the extension-in-IDE paradigm and provides suggestions and recommendations for improving the security of VSCode extensions and mitigating the risks of data exposure.