An out-of-the-box setting in Cursor, a popular AI source-code editor, could be leveraged by attackers to covertly run malicious code on users’ computers, researchers have warned.
An exploitable vulnerability in the Cursor AI editor
Cursor is an AI-augmented fork of Visual Studio Code (VS Code), a code editor developed by Microsoft.
VS Code’s Workspace Trust feature is enabled by default, ensuring that when users browse code repositories, no (potentially malicious) code can run automatically in their workspace without their explicit approval.
Cursor, on the other hand, ships with the Workspace Trust feature turned off and this, according to Oasis Security researchers, “means a project can include a hidden ‘autorun’ instruction that tells the IDE to execute a task the moment you open the folder: no prompt, no consent.”
Attackers can introduce a commit containing a malicious task with a “run on folder open” setting in a publicly accessible repository, and when a user opens the repository in Cursor, the task will silently run code in the user’s session.
Attackers can thus steal sensitive information and credentials, modify files, and more.
Also, since Developer laptops inherit powerful access via cloud keys, PATs, API tokens, and SaaS sessions, “with autorun enabled by default, a booby-trapped repo can quickly pivot from one machine to CI/CD and cloud, including non-human identities that often carry broad permissions,” the researchers noted.
Risk mitigation and detection
An easy way to mitigate this risk is to switch on Workspace Trust in Cursor. But – as the company behind the code editor told Oasis – Workspace Trust disables AI and other Cursor features. And these features may be the main reason why users use this particular code editor.
It that’s not a viable solution, Oasis researchers advise disabling all automatic task execution by setting task.allowAutomaticTasks: “off”, and opening unknown repositories in a different editor or a safer environment (e.g., a disposable container / virtual machine).
Developers should also avoid storing important passwords or keys in a way that make them accessible to every app. Instead, they should only load them when you actually need them.
Anysphere, the company developing Cursor, has committed to publishing updated security that will explain their “position on Workspace Trust and instructions to enable it for users and organizations who want to.” But, at least for now, there’s no mention of changing the default Workspace Trust setting.
Oasis researchers have published a (harmless) proof-of-concept vscode/tasks.json file and have provided threat hunting advice for enterprises.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
Source link
