Skip to content

[BUG] Able to use copilot in VS Code signed in a different account to do actions in the account with MCP PAT #373

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
justary27 opened this issue May 5, 2025 · 4 comments
Open

[BUG] Able to use copilot in VS Code signed in a different account to do actions in the account with MCP PAT #373

justary27 opened this issue May 5, 2025 · 4 comments

Comments

@justary27
Copy link

Describe the bug

Say you are user "hacker" who is signed into VS Code with this GitHub account, and somehow you get the PAT (Personal Access Token) of a user "victim". You can use this PAT to do actions in the "victim" user's account despite being logged in as "hacker" in VS code.

This can also be thought of as an exploit to use GitHub copilot in accounts that don't have the required subscription.

Affected version

GitHub MCP Server
Version: v0.2.1
Commit: 9fa582d
Build Date: 2025-04-21T23:03:01Z

Steps to reproduce the behavior

Same as in description

Expected vs actual behavior

This should raise an alert email to the "victim" and the PAT should be auto revoked.
@justary27 justary27 added the bug Something isn't working label May 5, 2025
@gillisandrew
Copy link

To clarify, you're suggesting that because the MCP might be configured with another user's PAT (exfiltrated from somewhere else), it is an exploit?

If so I'd point out:

  1. API clients aren't typically responsible for "authenticating" the token's user. Access tokens are bearer tokens, meaning it's possession is proof of authorization, any monitoring and invalidation is handled by the API/resource owner.
  2. the MCP server doesn't have any access beyond that granted to the token, it's not allowing a malicious actor to do things that couldn't be done by calling the GitHub APIs directly.

Feel free to correct me if I misunderstood.

@justary27
Copy link
Author

justary27 commented May 5, 2025
edited
Loading

That would be saying that any accidental .env files containing any keys (for example discord secret tokens which get revoked almost immediately) that get pushed to GitHub shouldn't be revoked? When obviously implementing this check would be much better and easier to implement in comparison (it's just a copilot signed in and pat user mismatch check)

@rkargMsft
Copy link

You don't necessarily have the PAT from the same credentials that are currently configured. There can be users that use multiple GitHub instances (public GitHub.com and GitHub Enterprise instances) as well as multiple accounts.

The PAT is a secret that must be kept secure. If it's been compromised, then the compromiser has much easier ways to exploit it than setting up an MCP server in VS Code and trying to get an LLM to do nasty stuff.

@williammartin
Copy link
Collaborator

@justary27 is there some specific incident that prompted you to create this?

I don't see how we could support valid use-cases that multiple accounts on the same host, whilst preventing malicious use. Furthermore, even if we could, it seems like this feature request would be better directed at VSCode since there's no obvious way for this to work without a communication mechanism about authentication, which would have to come from the MCP host.

@williammartin williammartin removed the bug Something isn't working label May 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@williammartin @gillisandrew @justary27 @rkargMsft