How dangerous is Code With Me, a remote pair programming tool from Jetbrains?



  • I've been looking into this very useful remote pair programming plugin from JetBrains called Code With Me, but want to understand all the security implications.

    From their FAQ page:

    How is data transferred through JetBrains servers?

    Your project and solution data is transferred through JetBrains servers encrypted end to end. The end-to-end encryption is secure only when the host and the guest verify that the generated PIN code matches on both ends. Otherwise, the end-to-end encryption is potentially susceptible to person-in-the-middle attacks. Local IP addresses, project names, and the operating system username are shared without encryption as they are used for letting JetBrains establish a session between the host and a guest. When initiating a new Code With Me session, the host communicates with the JetBrains server over TLS1.2+. Code With Me communicates through an open source distributed protocol created by JetBrains, and uses TLS 1.3 for end-to-end encryption. If you don’t want your data to be transferred via JetBrains servers, you can configure on-premises servers.

    Couldn't local IP addresses and OS usernames be used by a hacker to attempt remote desktop connections?

    Also the fact that the plugin can give guest users IDE terminal access on the host users computer (depending on the permissions set by the session host user) seems concerning, as it could potentially give an attacker access to the larger file system.

    JetBrains says that the connections are end-to-end encrypted, but since they own the plugin client and the servers through which the sessions are relayed (unless you pay for the on-prem license), couldn't someone with inside access to JetBrains potentially disable the encryption/decrpyt traffic?

    Are there any other security concerns I should be worried about?



  • Couldn't local IP addresses and OS usernames be used by a hacker to attempt remote desktop connections?

    Unless your dev workstation is internet-facing (ie you've port-forwarded it through your router), I wouldn't worry about the IP part. Maybe your username and project name could be considered sensitive.

    When they say "without encryption" I think they mean that your IDE shares this with the JetBrains server; not that this info is pasted publicly on pastebin for everyone to see. They do say later on "the host communicates with the JetBrains server over TLS1.2+". I guess you need to decide for yourself whether you trust employees of JetBrains to see your local IP address, username and project name; but if not then you probably shouldn't have installed their IDE in the first place.


    Also the fact that the plugin can give guest users IDE terminal access on the host users computer (depending on the permissions set by the session host user) seems concerning, as it could potentially give an attacker access to the larger file system.

    That's true, but I would hope you're not inviting random people off the internet to do pair programming with you. This feature seems designed for situations where you're working closely with a team member, presumably both on corporate-issued laptops.


    since they own the plugin client ... couldn't someone with inside access to JetBrains potentially disable the encryption/decrpyt traffic?

    So you're questioning whether or not you trust JetBrains (the company) to produce trustworthy and non-malicious software? I like healthy skepticism, but that seems like a thing you should figure out before you download the software, install it on your computer, run it, and give it access to your source code.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2