github-mcp-server icon indicating copy to clipboard operation
github-mcp-server copied to clipboard
verified publisher icon github

[BUG] Able to use copilot in VS Code signed in a different account to do actions in the account with MCP PAT

Open justary27 opened this issue 7 months ago • 5 comments

Describe the bug

Say you are user "hacker" who is signed into VS Code with this GitHub account, and somehow you get the PAT (Personal Access Token) of a user "victim". You can use this PAT to do actions in the "victim" user's account despite being logged in as "hacker" in VS code.

This can also be thought of as an exploit to use GitHub copilot in accounts that don't have the required subscription.

Affected version

GitHub MCP Server Version: v0.2.1 Commit: 9fa582d8d63522d70ce8f3af58265effb9645323 Build Date: 2025-04-21T23:03:01Z

Steps to reproduce the behavior

Same as in description

Expected vs actual behavior

This should raise an alert email to the "victim" and the PAT should be auto revoked.

justary27 avatar May 05 '25 10:05 justary27

To clarify, you're suggesting that because the MCP might be configured with another user's PAT (exfiltrated from somewhere else), it is an exploit?

If so I'd point out:

  1. API clients aren't typically responsible for "authenticating" the token's user. Access tokens are bearer tokens, meaning it's possession is proof of authorization, any monitoring and invalidation is handled by the API/resource owner.
  2. the MCP server doesn't have any access beyond that granted to the token, it's not allowing a malicious actor to do things that couldn't be done by calling the GitHub APIs directly.

Feel free to correct me if I misunderstood.

gillisandrew avatar May 05 '25 15:05 gillisandrew

That would be saying that any accidental .env files containing any keys (for example discord secret tokens which get revoked almost immediately) that get pushed to GitHub shouldn't be revoked? When obviously implementing this check would be much better and easier to implement in comparison (it's just a copilot signed in and pat user mismatch check)

justary27 avatar May 05 '25 17:05 justary27

You don't necessarily have the PAT from the same credentials that are currently configured. There can be users that use multiple GitHub instances (public GitHub.com and GitHub Enterprise instances) as well as multiple accounts.

The PAT is a secret that must be kept secure. If it's been compromised, then the compromiser has much easier ways to exploit it than setting up an MCP server in VS Code and trying to get an LLM to do nasty stuff.

rkargMsft avatar May 06 '25 06:05 rkargMsft

@justary27 is there some specific incident that prompted you to create this?

I don't see how we could support valid use-cases that multiple accounts on the same host, whilst preventing malicious use. Furthermore, even if we could, it seems like this feature request would be better directed at VSCode since there's no obvious way for this to work without a communication mechanism about authentication, which would have to come from the MCP host.

williammartin avatar May 06 '25 12:05 williammartin

This issue is stale because it has been open for 30 days with no activity. Leave a comment to avoid closing this issue in 60 days.

github-actions[bot] avatar Nov 02 '25 09:11 github-actions[bot]