The WakaTime OAuth authorization flow was vulnerable to a double-clickjacking attack. The attack allowed an attacker to trick users into unknowingly clicking the "Connect my WakaTime account" button in the consent dialog, enabling the attacker to register an OAuth application, capture the authorization code, and exchange it for an access token. This granted the attacker full access to defined permissions on behalf of the…Read More
WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https://wakatime.com/oauth/authorize
