WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https://wakatime.com/oauth/authorize

August 5, 2025 invoker category_news

Security Update News

Update Information

Title WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https://wakatime.com/oauth/authorize
Update ID H1:3287060
Type hackerone
Published 2025-08-05T14:08:05
Last Updated 2025-08-05T23:25:44

Security Impact

Severity NONE

AI Analysis

AI Description A double-clickjacking vulnerability in WakaTime’s OAuth authorization flow allowed attackers to trick users into granting unauthorized access to their accounts. This could lead to full access to user permissions. The attack relied on user interaction but posed a significant risk due to the potential impact.
AI Severity Medium
AI Vendor WakaTime
AI Product WakaTime OAuth Authorization Flow
AI Version Unknown

Update Details

The WakaTime OAuth authorization flow was vulnerable to a double-clickjacking attack. The attack allowed an attacker to trick users into unknowingly clicking the “Connect my WakaTime account” button in the consent dialog, enabling the attacker to register an OAuth application, capture the authorization code, and exchange it for an access token. This granted the attacker full access to defined permissions on behalf of the victim.

View Advisory Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.