Key facts
- GitHub.dev vulnerability allows access to private repositories.
- An OAuth token is passed to the session, granting read and write access.
- The vulnerability can be exploited with a single click.
- The token grants access to all repositories the user has access to.
A security vulnerability has been identified in GitHub.dev, the browser-based VS Code editor accessible by pressing the period key on a GitHub repository. When a developer launches this editor, GitHub silently passes an OAuth token to the session. This token grants read and write access to every repository the user has access to. The vulnerability means that a single click within the GitHub.dev environment could potentially lead to the compromise of private repositories.