WakaTime - HackerOne Bug Reports

Public WakaTime bug reports.

4,419 Bug Reports - $2,030,173 Paid Out
Last Updated: 12th September, 2017

Team	Bounty	Title
WakaTime	-	Impersonation of Wakatime user using Invitation functionality.
WakaTime	-	Failure to check password history
WakaTime	-	Session Duplication due to Broken Access Control
WakaTime	-	by pass rate limit exceed
WakaTime	-	[Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge [Team Vector]
WakaTime	-	Running 2 accounts with a single email
WakaTime	-	Password Policy Issue
WakaTime	-	Blocking users to sign up on the site
WakaTime	-	No rate limit on creating private leaderboards.
WakaTime	-	Sensitive Cookie Without 'HttpOnly' Flag
WakaTime	-	JSON CSRF on POST Heartbeats API
WakaTime	-	Bypassing Access control, changing owner's name in a private leaderboard
WakaTime	-	Lack of Password Confirmation When Changing Email
WakaTime	-	Missing Account Deletion Notification
WakaTime	-	Two email addresses can access the same account
WakaTime	-	Missing filteration of meta characters in all full name field on wakatime.com
WakaTime	-	No rate limiting for confirmation email, can spam anyone with confirmation emails
WakaTime	-	Session not expired on logout
WakaTime	-	No notificatoin sent on email after account deletion.
WakaTime	-	Clickjacking on authorized page https://wakatime.com/share/embed
WakaTime	-	No redirect uri for Twitter Oath resulting in token leak
WakaTime	-	Login page password - guessing attack
WakaTime	-	Session Not Expired On Logout
WakaTime	-	No rate limit when creating new goals [https://wakatime.com/goals]
WakaTime	-	Logout CSRF
WakaTime	-	https://wakatime.com/ website CSP "script-src" includes "unsafe-inline"
WakaTime	-	Unsafe Inline and Eval CSP Usage
WakaTime	-	UI Redressing on Embedded Charts
WakaTime	-	Add arbitrary content to Password Reset Email
WakaTime	-	Forgot password link doesn't expire after used, only after some hours
WakaTime	-	IDOR create accounts and verify them with original account email
WakaTime	-	Password token validation in https://wakatime.com/
WakaTime	-	Password reset links should expire after being used, instead of at specific time
WakaTime	-	[Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge
WakaTime	-	Email Spoofing Via /api/v1/users/reset_password
WakaTime	-	Mailgun misconfiguration
WakaTime	-	[https://wakatime.com/reset_password/] Leaking password reset token via referrer
WakaTime	-	Missing SPF Flags