{"id":9777,"date":"2025-08-05T19:52:47","date_gmt":"2025-08-05T19:52:47","guid":{"rendered":"http:\/\/localhost\/?p=9777"},"modified":"2025-08-05T19:52:47","modified_gmt":"2025-08-05T19:52:47","slug":"wakatime-double-clickjacking-attack-on-wakatime-oauth-authorization-flow-at-httpswakatimecomoauthaut","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=9777","title":{"rendered":"WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https:\/\/wakatime.com\/oauth\/authorize"},"content":{"rendered":"

Security Update News<\/h2>\n

Update Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nWakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https:\/\/wakatime.com\/oauth\/authorize<\/td>\n<\/tr>\n
Update ID<\/th>\nH1:3287060<\/td>\n<\/tr>\n
Type<\/th>\nhackerone<\/td>\n<\/tr>\n
Published<\/th>\n2025-08-05T14:08:05<\/td>\n<\/tr>\n
Last Updated<\/th>\n2025-08-05T23:25:44<\/td>\n<\/tr>\n<\/table>\n

Security Impact<\/h3>\n\n\n
Severity<\/th>\nNONE<\/td>\n<\/tr>\n<\/table>\n

AI Analysis<\/h3>\n\n\n\n\n\n\n
AI Description<\/th>\nA double-clickjacking vulnerability in WakaTime’s OAuth authorization flow allowed attackers to trick users into granting unauthorized access to their accounts. This could lead to full access to user permissions. The attack relied on user interaction but posed a significant risk due to the potential impact.<\/td>\n<\/tr>\n
AI Severity<\/th>\nMedium<\/td>\n<\/tr>\n
AI Vendor<\/th>\nWakaTime<\/td>\n<\/tr>\n
AI Product<\/th>\nWakaTime OAuth Authorization Flow<\/td>\n<\/tr>\n
AI Version<\/th>\nUnknown<\/td>\n<\/tr>\n<\/table>\n

Update Details<\/h3>\n
\nThe WakaTime OAuth authorization flow was vulnerable to a double-clickjacking attack. The attack allowed an attacker to trick users into unknowingly clicking the “Connect my WakaTime account” button in the consent dialog, enabling the attacker to register an OAuth application, capture the authorization code, and exchange it for an access token. This granted the attacker full access to defined permissions on behalf of the victim.\n<\/div>\n

View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Security Update News Update Information Title WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https:\/\/wakatime.com\/oauth\/authorize Update ID H1:3287060 Type hackerone Published 2025-08-05T14:08:05 Last…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-9777","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nWakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https:\/\/wakatime.com\/oauth\/authorize - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=9777\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https:\/\/wakatime.com\/oauth\/authorize - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https:\/\/wakatime.com\/oauth\/authorize Update ID H1:3287060 Type hackerone Published 2025-08-05T14:08:05 Last...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=9777\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-08-05T19:52:47+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9777#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9777\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https:\\\/\\\/wakatime.com\\\/oauth\\\/authorize\",\"datePublished\":\"2025-08-05T19:52:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9777\"},\"wordCount\":189,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"hackerone\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=9777#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9777\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9777\",\"name\":\"WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https:\\\/\\\/wakatime.com\\\/oauth\\\/authorize - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-08-05T19:52:47+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9777#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=9777\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9777#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https:\\\/\\\/wakatime.com\\\/oauth\\\/authorize\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https:\/\/wakatime.com\/oauth\/authorize - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=9777","og_locale":"en_US","og_type":"article","og_title":"WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https:\/\/wakatime.com\/oauth\/authorize - zero redgem","og_description":"Security Update News Update Information Title WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https:\/\/wakatime.com\/oauth\/authorize Update ID H1:3287060 Type hackerone Published 2025-08-05T14:08:05 Last...","og_url":"https:\/\/zero.redgem.net\/?p=9777","og_site_name":"zero redgem","article_published_time":"2025-08-05T19:52:47+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=9777#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=9777"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https:\/\/wakatime.com\/oauth\/authorize","datePublished":"2025-08-05T19:52:47+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=9777"},"wordCount":189,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","hackerone","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=9777#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=9777","url":"https:\/\/zero.redgem.net\/?p=9777","name":"WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https:\/\/wakatime.com\/oauth\/authorize - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-08-05T19:52:47+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=9777#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=9777"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=9777#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https:\/\/wakatime.com\/oauth\/authorize"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/9777","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9777"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/9777\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9777"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9777"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9777"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}