MarkDoom: How I Hacked Every Major IDE in 2 Weeks
Matt Austin at AppSec California 2018
JavaScript (and HTML) has completely conquered the Web, and now it’s taking over the Desktop. In order to provide more user-friendly graphical interfaces, today's software applications are being built with embedded browsers. Companies such as GitHub, Apple, Microsoft, Facebook, and Slack all build complex, desktop-like web applications completely in JavaScript. Many other organizations embed entire browsers into their products for rendering content. We call all of this the “Desktop Web,” and it’s full of security problems that have more devastating consequences than your typical JavaScript injection.
I will walk through examples of arbitrary code execution that I discovered in Visual Studio Code, GitHub Atom Editor, Sublime Text, Adobe Brackets Editor, all JetBrains Products (IntelliJ IDEA, PhpStorm, WebStorm, PyCharm, RubyMine, AppCode, CLion, ...) and more. This research resulted in 5 CVEs and $(TBD)k in bounties.
Welcome to the unholy marriage of web application and desktop security. Let’s explore how each editor was implemented, what went wrong, and the controls that can be used to do this more safely.
Matt Austin is the Director of Security Research at Contrast Security focused on runtime security assessment and protection through instrumentation. Prior to Contrast Matt worked as a security consultant at Aspect Security, and is currently active is many of the top Bug Bounty platforms.
I will walk through examples of arbitrary code execution that I discovered in Visual Studio Code, GitHub Atom Editor, Sublime Text, Adobe Brackets Editor, all JetBrains Products (IntelliJ IDEA, PhpStorm, WebStorm, PyCharm, RubyMine, AppCode, CLion, ...) and more. This research resulted in 5 CVEs and $(TBD)k in bounties.
Welcome to the unholy marriage of web application and desktop security. Let’s explore how each editor was implemented, what went wrong, and the controls that can be used to do this more safely.
Matt Austin is the Director of Security Research at Contrast Security focused on runtime security assessment and protection through instrumentation. Prior to Contrast Matt worked as a security consultant at Aspect Security, and is currently active is many of the top Bug Bounty platforms.