23 Nov 2025, 11:25 PM
About a year ago, I decided to look into some AI autocomplete for my IDE. This was before tools like Cursor were a very big thing (I think). I ended up trying Tabnine, but later switched to Codeium, because of their free individual plan. So one time I was signing in, and me being me, I watched the URL and noticed something interesting. So when I clicked sign in from VSCode, it redirected to a login page, and then to a URL that redirected back to a vscode:// url. Of course I replaced the URL with https://example.com and sure enough, it redirected there. This was already pretty bad, because I could, for example, set up an ad or something that shows the real Codeium URL, but redirects to a malicious site. But it may also open the site up to XSS. But what is XSS anyway First, I'm going to try my best to explain XSS. It stands for Cross Site Scripting, and it is where malicious scripts are injected into trusted sites. So for example, if you directly send text that is user provided to the browser, like this: You can send /test?text=example and get this: But you can also send something like /test?text=<script>alert("XSS")</script> and get this: And that Javascript will run, resulting in an alert box appearing. This is an example of reflected XSS, where you don't sanitise the user defined data being sent to client. There are many ways to do an XSS attack, and the one I found on Codeium involved the javascript: scheme. Basically, you can execute code by linking to javascript:whatever(), with an a element or redirect. This is how bookmarklets work. You see where this is going? The vulnerability So of course I replaced the URL in the redirect with javascript:alert() I didn't expect it to work, but as soon as the page loaded it redirected to the javascript: URL, showing the alert box. Basically this means you could possibly send a link to anyone and take over their Codeium account when they click on it. I didn't test this. Reporting it I don't think at the time Codeium had a good way of reporting vulnerabilities, so I had to use the contact form. I had limited time because reasons, so I just sent a quick message, and they responded a few days later saying they should have a fix out soon. I checked a few days later and it was fixed! Unfortunately, I didn't get a CVE :( Timeline 29th Jan 2024 - Discovered and reported 1st Feb 2024 - Response Around 3rd Feb 2024 - Fixed A bit more about Codeium You might not have heard about Codeium, probably because I forgot to mention that recently they rebranded to Windsurf, forked VSCode, and now have a $2.4 billion deal with Google. In conclusion Just don't have an arbitrary redirect. Maybe use a whitelist for redirect hosts/schemes and paths. Stay secure :)
16 Nov 2025, 5:55 PM
Yeah so this is where I'll post random stuff idk. So I can use bold, italic, underline, strikethrough, code
Search for a command to run...