Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https://wakatime.com/oauth/authorize

## Summary: An attacker can trick users into unknowingly clicking the "Connect my WakaTime account" button in the WakaTime App consent dialog using a double-clickjacking attack. This allows an attacker to register a WakaTime OAuth App, host a phishing page, and make the victim accidentally click the Authorize button. The attacker can then capture the authorization code and exchange it for an access token, allowing them to perform actions on behalf of the victim. This is similar to a clickjacking attack, but traditional protections like X-Frame-Options do not prevent it. The impact is the attacker application has full access to defined [permissions](https://wakatime.com/developers). ## PoC Video: {F4647670} ## Attack Flow: 1. The attacker creates an initial webpage with a button that opens a new window (or just opens a new window without user interaction), let's say it's https://attacker.com 2. Current tab is redirected to WakaTime OAuth Authorization URL, for example: https://wakatime.com/oauth/authorize?client_id=joUNHCTnWqQ9hsmrWS5CTokR&response_type=code&redirect_uri=https://webhook.site/15495620-7c98-4643-a6df-9e7864c0dead&scope=read_orgs,write_orgs, which looks like this: {F4647671} 3. At the same time, a new tab opened to https://attacker.com/attack, which looks like this: {F4647672} 4. Notice that the "Double Click" button is aligned to be the same as the "Connect my WakaTime account" button. If it's not aligned perfectly, just play with the positions variable in the source code. The first click will close the /attack tab, then the second click will click the "Authorize" button. 5. The URL gets redirected to `https://webhook.site/15495620-7c98-4643-a6df-9e7864c0dead?code=CODE`. At this point, it's up to the attacker to store the code and exchange it for access token. Now the attacker can hit the API endpoint with defined permissions. To make the victim not realize an attack happens, the attacker page can be redirected to another website after getting the code. ## Steps To Reproduce: 1. You can download the source code from the attached file: {F4647674}. 2. Create a new WakaTime app at https://wakatime.com/apps/new. 3. Fill the details like this: {F4647682} 7. In the source code in `index.html` on `const url=...`, simply change with your `client ID` and `redirect_uri`. 8. Run the flask app with **python main.py**. 9. Try to simulate the attack as victim account. ## Notes: - The victim needs to be already logged in to WakaTime . - The double-click button may not align perfectly, but there are ways to make the button flexible. You can adjust the position of button in `attack.html`. In the simple PoC, I only demonstrated the technique. - Browser, OS and/or app version used during testing: Firefox Browser 140.0.2 (64-bit), Windows. ## Fix Suggestion: Eliminate the risk of DoubleClickjacking by disabling critical buttons by default unless a gesture is detected (e.g., moving the mouse or using the keyboard). ## Supporting Material/References: - https://jorianwoltjer.com/blog/p/hacking/pressing-buttons-with-popups - https://www.evil.blog/2024/12/doubleclickjacking-what.html - https://www.evil.blog/2024/02/cross-window-forgery-web-attack-vector.html?m=1 ## Impact This vulnerability allows an attacker to trick a logged-in WakaTime user into unknowingly authorizing a third-party application created by an attacker which an attacker can obtain access token to get resources from WakaTime API depending on the scopes and permissions. The maximum permission attacker can get is all scopes as explained at https://wakatime.com/developers.