GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs

Cybersecurity researchers have flagged yet another evolution of the ongoing GlassWorm campaign, which employs a new Zig dropper that's designed to stealthily infect all integrated development environments IDEs on a developer's machine. The technique has been discovered in an Open VSX extension...

WakaTime: Invalid

Summary: While testing the OAuth implementation on your platform, I discovered a critical vulnerability that allows a malicious attacker to take over any victim’s account and maintain persistent access even if the victim later verifies their email or changes their password. This issue arises...

WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https://wakatime.com/oauth/authorize

The WakaTime OAuth authorization flow was vulnerable to a double-clickjacking attack. The attack allowed an attacker to trick users into unknowingly clicking the "Connect my WakaTime account" button in the consent dialog, enabling the attacker to register an OAuth application, capture the...

WakaTime: Unauthorized Disclosure of Private Emails via WakaTime Private Leaderboards

The vulnerability allowed unauthorized disclosure of private email addresses of WakaTime users through the private leaderboards feature. The email addresses were exposed to leaderboard creators and members, even when the users had not chosen to make their emails public...

WakaTime: Not a Vuln: Race Condition Allows Creation of Multiple Organizations with the Same Name

Summary: A race condition vulnerability exists in the organization creation logic that allows an attacker to create multiple organizations with the same name, violating the expected uniqueness constraint enforced by the UI. This could lead to confusion, broken business logic, or potential misuse...

WakaTime: user api key leaked

The user's API key was found exposed in an older URL while testing the WakaTime tool. The API key successfully authenticated requests to a restricted endpoint, indicating that it was valid and granted access to protected resources...

WakaTime: Leaked credentials ( emails and passwords , etc...)

The security researcher reported the discovery of a large number of leaked credentials, including emails and passwords, on a Telegram bot. The source of the leaked data is unknown, but the volume of exposed information is substantial. The researcher did not attempt to verify the validity of the...

WakaTime: Login Information and Credentials Have Been Leaked on wakatime.com

A security vulnerability was identified on wakatime.com, where user login information, including usernames and passwords, was leaked to the public. The issue appears to have been caused by insufficient protection of sensitive data, potentially due to inadequate encryption or improper handling of...

WakaTime: User Email Disclosure via ID-Based Invitation

The issue occurs when inviting a user by their WakaTime ID. If a user has set their email to private, their email address was disclosed when they were invited using their ID. This contradicted the privacy settings and led to unintended email exposure...

WakaTime: Private leaderboard owner email disclosure when sending invites

Hi , the unVerify email disclosure when invite to any one on Leaderboards . Step .. 1- create account [email protected] . 2- not verify email . 3- go to Leaderboards . 4- check invite any email [email protected] . your friends. 5- your friends look inbox the waketime invite it say [email protected]...

WakaTime: [invalid][false-positive] csrftoken on profile page

step of reproduce- 1. Go to https://wakatime.com and create account. 2. login account after that go public profile. 3. after that change the full name and intercept brup suite and delete csrftoken. 4. After forward then you see name was changed. Impact Violation of Secure Design Principles...

WakaTime: Rate Limit too lenient for endpoint sending emails

Rate-limiting is a process that is used to define the rate at which consumers can access APIs. Also, it determines the speed at which a consumer can access APIs. Rate limit is calculated in real time. How to reproduce? 1. Sign-up for the account for WakaTime. Domain - www.wakatime.com 2. After...

WakaTime: Can link to websites from profile

when I input a website to my profile it creates tag link: test.org this is a flaw, how? if the owner of the profile and a malicious link it is possible to redirect the user to a phishing page of wakatime. Here's the scenario of this attack: 1 Attacker put a malicious link on his profile. 2 Once t...

WakaTime: password token validation

Hello, when I reset password all tokens are valid can be used, should keep valid only token in the last request or you can invalidate all reset links after using one of the requests successfully. Steps: 1 go to the password reset page and request more than one request. 2 go to your email and use...

WakaTime: previous token seems to work even though it does not verify email

Hi there , Summery : --------------------- the same confirmation token can be reused for the email address , wheres the previous token and the new token are not same . while the user tries to confirm his email with previous token , it will be confirmed . which means that token does not expires...

WakaTime: Impersonation of Wakatime user using Invitation functionality.

Hi wakatime team, I have found a vulnerability in your leaderboard invitation functionality which can be used to trick the victims on the name of wakatime. Anyone can sign up with any email id and use the leadersboard invitation to invite anyone. This loophole can be leveraged for impersonation o...

WakaTime: SSH backdated version open port

You are running a version of OpenSSH which is older than 6.7 Versions prior than 6.7 are vulnerable to an off by one error that allows local users to gain root access, and it may be possible for remote users to similarly compromise the daemon for remote access. In addition, a vulnerable SSH clien...

WakaTime: [wakatime.com] HTML Injection github-btn.html

Description === Vulnerable parameter: user Vulnerable script: https://wakatime.com/static/html/github-btn.html Vulnerable code: js var params = function var vars = , hash; var hashes = window.location.href.slicewindow.location.href.indexOf"?" + 1.split"&"; forvar i = 0; i...

WakaTime: by pass rate limit exceed

ERROR 429 FOR RATE LIMIT EXCEED to access login page when am trying to access login page after couple of request web server shows 429 error,after refreshing the same page i got an access log in page, this is because of weak rate limit exceed THANKING YOU...

WakaTime: Using an outdated version of OpenSSH on db01.wakatime.com

Hii team once again, Hope you are better I have found that db01.wakatime.com is using an outdated version OpenSSH version leading to multiple vulnerability. How i find it I scanned the domain with nmap and it gives me a open port 222 and when i connect it with ncat it get connected and shows the...