[BUG] Able to use copilot in VS Code signed in a different account to do actions in the account with MCP PAT

[justary27]

Describe the bug

Say you are user "hacker" who is signed into VS Code with this GitHub account, and somehow you get the PAT (Personal Access Token) of a user "victim". You can use this PAT to do actions in the "victim" user's account despite being logged in as "hacker" in VS code.

This can also be thought of as an exploit to use GitHub copilot in accounts that don't have the required subscription.

Affected version

GitHub MCP Server
Version: v0.2.1
Commit: 9fa582d
Build Date: 2025-04-21T23:03:01Z

Steps to reproduce the behavior

Same as in description

Expected vs actual behavior

This should raise an alert email to the "victim" and the PAT should be auto revoked.

[gillisandrew]

To clarify, you're suggesting that because the MCP might be configured with another user's PAT (exfiltrated from somewhere else), it is an exploit?

If so I'd point out:

1. API clients aren't typically responsible for "authenticating" the token's user. Access tokens are bearer tokens, meaning it's possession is proof of authorization, any monitoring and invalidation is handled by the API/resource owner.
2. the MCP server doesn't have any access beyond that granted to the token, it's not allowing a malicious actor to do things that couldn't be done by calling the GitHub APIs directly.

Feel free to correct me if I misunderstood.

[justary27]

That would be saying that any accidental .env files containing any keys (for example discord secret tokens which get revoked almost immediately) that get pushed to GitHub shouldn't be revoked? When obviously implementing this check would be much better and easier to implement in comparison (it's just a copilot signed in and pat user mismatch check)

[rkargMsft]

You don't necessarily have the PAT from the same credentials that are currently configured. There can be users that use multiple GitHub instances (public GitHub.com and GitHub Enterprise instances) as well as multiple accounts.

The PAT is a secret that must be kept secure. If it's been compromised, then the compromiser has much easier ways to exploit it than setting up an MCP server in VS Code and trying to get an LLM to do nasty stuff.

[williammartin]

@justary27 is there some specific incident that prompted you to create this?

I don't see how we could support valid use-cases that multiple accounts on the same host, whilst preventing malicious use. Furthermore, even if we could, it seems like this feature request would be better directed at VSCode since there's no obvious way for this to work without a communication mechanism about authentication, which would have to come from the MCP host.