Navigation:   Dark C0d3rs Exploit Log Research Papers/Vulnerability reports HackerOne Disclosed Reports - 2025-08-05

HackerOne Disclosed Reports - 2025-08-05

0 Replies, 210 Views

 hashXploiter

   08-06-2025, 12:30 PM
Administrator
#1
Logo
Medium
resolved

Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https://wakatime.com/oauth/authorize


Bug reported by was disclosed at August 5, 2025, 11:25 pm   |   Violation of Secure Design Principles

The WakaTime OAuth authorization flow was vulnerable to a double-clickjacking attack. The attack allowed an attacker to trick users into unknowingly clicking the "Connect my WakaTime account" button in the consent dialog, enabling the attacker to register an OAuth application, capture the authorization code, and exchange it for an access token. This granted the attacker full access to defined permissions on behalf of the victim.


[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]

Messages In This Thread
HackerOne disclosed reports - 2025-08-05 - by hashXploiter - 08-06-2025, 12:30 PM



Users browsing this thread: 1 Guest(s)