WakaTime: Missing filteration of meta characters in all full name field on wakatime.com

ID H1:245236
Type hackerone
Reporter silv3rpoision
Modified 2017-07-04T01:57:20


Hi there

Vulnerability Title:

Meta characters are not filtered into full name


You haven't filtered control meta characters such as %00 etc in full name field which allows an attacker to impersonate or hide their real identity within the application. This one is not rejected. It turns out that it is possible to register a user's full name with special sign %0a(appended in proxy).


Attacker can impersonate user by appending meta characters.


You should disallow nullbytes in the name(here full name field).

Happy to Help

Thanks Piyush kumar