Clockify is a popular time tracker and timesheet app for teams of all sizes.

The team was missing a major logical vulnerability in the team management functionality, and a significant path traversal bug in user account handling.

I analyzed the API requests and spotted two critical security issues:

  1. User account takeover issue affecting 2+ million users. Exploiting path traversal bug was the entry point to this issue.

  2. Any low privileged user could have been an admin of his team’s workspace through exploiting a logical issue presented in the team management functionality. This affected 150k+ teams.

Then I assisted the software engineers to study these bugs by presenting a step-by-step explanation video and a detailed security report of the vulnerabilities.


  • Helped them grow the main API security by 200%.

  • Found 1 critical account takeover vulnerability that enabled hacking 2+ Million user accounts.

  • Uncovered 2 API security issues affecting the user verification process.

  • Located 1 workspace takeover vulnerability affecting 150k+ teams in Clockify application.

  • Helped the team to study the security vulnerability by preparing a detailed security report.

  • Published a technical write-up about one security finding that led to 5.7k views.

  • The Clockify team partially disclosed the report on their website.


Clio is a top legal software for clients, cases, billing, and more.

I went through all the features of the web application. There was 2-factor authentication in place for user accounts as extra protection. Another feature was changing the emails of the clients of a legal firm.

I found a neat trick to break the access control policy on email changing functionality. This resulted in hacking 150k+ legal professional accounts and their client accounts. It also bypassed the 2-factor authentication of user accounts.

I got a special appreciation from the security team for finding the best security issue on the Clio platform.


  • Secured 150k+ lawyers' accounts from cyber-attacks.

  • Identified an account takeover vulnerability.

  • Got a special acknowledgment from the team for discovering the best critical finding in Clio API.

  • Built a comprehensive security report for a serious security vulnerability in their API


Here is a writeup about an SSRF vulnerability in their web app