Dark C0d3rs

Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2025-08-05
Full Version: HackerOne Disclosed Reports - 2025-08-05
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

hashXploiter

08-06-2025, 12:30 PM
Logo
Medium
resolved

Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https://wakatime.com/oauth/authorize


Bug reported by was disclosed at August 5, 2025, 11:25 pm   |   Violation of Secure Design Principles

The WakaTime OAuth authorization flow was vulnerable to a double-clickjacking attack. The attack allowed an attacker to trick users into unknowingly clicking the "Connect my WakaTime account" button in the consent dialog, enabling the attacker to register an OAuth application, capture the authorization code, and exchange it for an access token. This granted the attacker full access to defined permissions on behalf of the victim.


Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2025-08-05