WelcomeUser Guide
ToSPrivacyCanary
DonateBugsLicense

©2026 Poal.co

407

Archive: https://archive.today/35ZO4

From the post:

>Updated: Yet another aggrieved bug hunter has leaked a vulnerability affecting a Microsoft product after becoming disillusioned with the way the company handles security reports. Ammar Askar dropped a proof of concept (PoC) exploit for a Visual Studio Code (VS Code) flaw within just an hour of disclosing it to “an old contact” at the open source platform, according to his account of things. The vulnerability he exposed involves attackers configuring repos, either of their own making or those they have compromised separately, to push malicious VS Code extensions via its Workspace Recommendations feature, which then steal OAuth tokens they can then use to read/write public and private GitHub repos. It affects anyone who has ever used github.dev, a feature that allows users to open a GitHub repo in a browser-based version of VS Code.

Archive: https://archive.today/35ZO4 From the post: >>Updated: Yet another aggrieved bug hunter has leaked a vulnerability affecting a Microsoft product after becoming disillusioned with the way the company handles security reports. Ammar Askar dropped a proof of concept (PoC) exploit for a Visual Studio Code (VS Code) flaw within just an hour of disclosing it to “an old contact” at the open source platform, according to his account of things. The vulnerability he exposed involves attackers configuring repos, either of their own making or those they have compromised separately, to push malicious VS Code extensions via its Workspace Recommendations feature, which then steal OAuth tokens they can then use to read/write public and private GitHub repos. It affects anyone who has ever used github.dev, a feature that allows users to open a GitHub repo in a browser-based version of VS Code.
You are currently inside a comment thread.
Click here to see all the comments (6).
[–] 1 pt

Ammar Askar

Let me guess:

  • Sandnigger used AI models trained for coding to search for vulnerabilities.

  • The AI found one.

  • He jumped in the air yelling he was gonna get rich.

  • Submitted a vulnerability report.

  • Got a reply that it's not worth money.

  • Got mad because no more bobs and vagene.

  • He decides to leak it as a form of retaliation.

[–] 1 pt

It could be that, but according to Nightmare Eclipse (deadeclipse666.blogspot.com) even if you are only trying to responsibly report something to Microsoft and ensure that they fix it they will arrogantly ignore you, defame you, delete the account you used to report the bug, delete your GitHub account (just to be jerks), eventually fix the bugs without crediting you, and sometimes without even putting out an advisory (deadeclipse666.blogspot.com). It all sounds like pajeet behavior, but it doesn’t matter. They’re doing security wrong.

If the software maintainers will not even acknowledge a vulnerability the responsible thing to do is alert the public so they can take their own measures to protect themselves.

[–] 1 pt

Agreed.

A pajeet got pajeeted by a Microsoft H1B DEI pajeet who will take credits for a vulnerability discovered by an AI.

[–] 1 pt

I don't disagree, but fuck microsoft, the faster they can be relegated to the internet wayback machine the better.