A critical security vulnerability in GitHub's browser-based VSCode implementation allows attackers to steal OAuth tokens with a single click. The github.dev feature runs a lightweight VSCode instance in the browser, complete with full access to private repositories through broadly-scoped tokens. This creates an attractive target for exploitation given the extensive codebase involved.

VSCode employs webview sandboxing using cross-origin iframes to isolate untrusted content. The vscode-webview:// origin separates webview content from the main application window, preventing direct DOM manipulation. However, the did-keydown event handler passes keyboard events between these contexts, creating an unexpected attack vector that bypasses intended security boundaries.

Attackers can exploit this by simulating keystrokes in a malicious webview to trigger keyboard shortcuts. The "Notifications: Accept Notification Primary Action" binding (Ctrl+Shift+A) provides the most straightforward exploitation path. This enables installing attacker-controlled extensions that exfiltrate the OAuth token, granting complete read and write access to all repositories.

The vulnerability affects users accessing github.dev through web browsers, not desktop VSCode installations. Microsoft patched the issue after responsible disclosure, though the incident highlights risks inherent in complex web-based IDE implementations that bridge local application security models with browser environments.