GitHub Workflow Updater Plaintext Token Storage Vulnerability

A vulnerability exists in the GitHub Workflow Updater extension for Visual Studio Code, prior to version 0.0.7, where any provided GitHub token was stored in plaintext within the editor configuration as JSON on disk. This method of storage is less secure compared to the 'securestorage' API, which encrypts secrets and stores them in the operating system's keychain or credential vault. As a result, an attacker with read-only access to the home directory could potentially access the token and misuse it. The issue has been addressed in version 0.0.7, which migrates existing tokens to secure storage and removes them from the plaintext configuration.

Impact

The vulnerability allowed for unauthorized access to GitHub tokens, which could be used to perform actions on behalf of the user, particularly regarding private repositories.

Remediation

Users are advised to update to version 0.0.7. After updating, existing tokens will be automatically migrated to the secure storage and removed from the plaintext configuration. If the extension is used without a token, the vulnerability is not applicable.