Again about Piwik

I thought this update deserves a separate post so here is the latest update to “Scary piwik findings“.

It seems my post regarding Piwik caused a lot of rumors and discussions.

Piwik contacted me yesterday with the following mail:

…Unfortunately, not all of the points mentioned are correct and we kindly ask you to issue a public correction, especially because your blog is a valued source of knowledge for many IT professionals. Below we present a short clarification of the two points raised in your article.

Firstly, all Piwik users have the possibility to make their analytics report data publicly accessible by anyone, but this is by no means a default setting. By default, all reports are protected and nobody can view the collected and analysed data without first signing in with a valid user account. It is, however, possible to make reports available to anyone – this feature was developed on purpose and is well-documented in Piwik’s FAQ. Some organisations, such as the Pirate Party mentioned in your publication, decide to make their analytics data open to anyone on purpose. This is mainly because their Piwik data may be of use to their communities.

Secondly, it’s true that some of the Piwik servers’ URLs can be discovered in search engines using allinurl: “piwik/index.php”. We would like to emphasise that this poses no security risk as Piwik, by default, protects all user data behind a login screen and there is no possibility of a data leak. Furthermore, an improvement will be developed by our community to tackle this issue (details:

And here is what I responded:

many thanks for your mail. I mainly agree to almost everything but not with all you wrote.

First of all, let me assure you that it was also not my intention to blame Piwik as I found it to be one of the (if not the) best statistics tools available, especially due to it’s possibility to generate stats without storing IP address information – as already mentioned in my blog.

I am usually referring to Piwik as “the opposite to Google Analytics” which I hope is a compliment.

I am aware and can confirm that the default settings of Piwik don’t allow unauthorized access to the stats per se.

However, my findings did indeed reveal security issues along with Piwik installations as follows:

When using these inurl: queries, you will find a lot of half-done or broken Piwik installations. The diagnostic messages that can be found are very helpful for the webmaster to fix the Piwik installation issues. However it is also very helpful for hackers as these diagnostic messages reveal the physical server directory structures, database names and I even saw DB user names entered by the webmaster. One example, why this is dangerous is the recent ProFTPD exploit for which a hacker will just need to know the physical directory structure in order to copy files to other location which can either be accessed from outside or files that contain information that, once overwritten, will no longer protect files or directories.

Second, even if the default settings of Piwik don’t allow anonymous access, it is scary to see so many installations where it is indeed possible. In most cases it is quite obvious that those installations are not intended to be open for the public and as mentioned in my blog, even if anonymous access has not been configured, in some cases it was possible to download the stats via the Piwik API. This at least sounds as there are webmasters who have issues with a correct configuration of Piwik.

Finally, the huge amount of wrong, mis-configured and unintentionally open Piwik installations surprises me. I can’t remember similar findings in similar cases like some years ago with phpBB.

Regarding the Pirate Party, they seem to have a communication issue as they are talking about different Piwik installations and they claim they are using Piwik since May 18. 2015 but their Stats start in 2011 and they forgot (still!) to update their disclaimers on the two mentioned websites. But that’s no security issue and not really worth to follow up. Just for clarification.

My suggestions to you are as follows:

  • It seems some Piwik installations used to be ok some time ago but for some reasons (maybe changes/updates on a server) seem to get broken. In such situations, I would suggest to not reveal server information on the Piwik Admin website.
  • In general, I would rather suggest storing such information in log-files instead of displaying them so that they can only be accessed with appropriate privileges.
  • I would suggest to split/separate the API URL from the Admisistration and Statistics URL. That would also support the use of .htaccess protection to the Admin and/or Statistics part of Piwik.
  • I would definitely recommend to add the noindex, nofollow metatags as mentioned in your blog but I would also suggest to place an initial robots.txt file on the webserver root if it doesn’t exist or add lines to it if it exists. Both at least hides Piwik from search engines (even though not all engines regard those but Google does and was the main source of my findings)
  • If one or all of the above would be too difficult or not yet possible, at least place some big warnings in your setup documentation or setup UI (like you already do for other purposes)

I really appreciate your efforts to improve security and privacy in Piwik.

This helps to create a better, more secure world.

Thanks again,

best regards,


Why is McAffee, Avast, Symantec free ? They collect and sell your data! (updated)

Did you ever wonder why companies like Oracle or Adobe always wants to install unwanted software such as McAffee along with their free Java or Acrobat Reader ?

Or why so called “Best Antivirus Software” such as Avast or Symantec comes for free from your provider or pre-installed on your PC ?

Are those companies so generous? Do they only want your best?

You guessed it : No, of course not. They want money. Not just your money.

They get paid for every single installation of this unwanted piece of software!

So why is that ?

Because the unwanted software gets paid because it collects your data and they sell it.

Ok, you don’t believe me right ?

So here is an example:

Avast recently confirmed that they collect your data while running on your PC and scanning for viruses (see here if you don’t believe me)

Jumpshot is selling your data for just as much as US$ 500 per month! per account (see their pricing on

Avast claims that they don’t make money out of that but do you believe this ?

Do you believe McAffee, Ask with their Ask Toolbox and others don’t make money with collecting your data?

I personally don’t.


It’s a funny coincident that Tim Cook yesterday talked about the very same subject. His speech at the Electronic Privacy Information Center (EPIC) is really worth reading and most of what he said speaks my mind. You can find his speech on the verge .

He said for instance:

“You might like these so-called free services, but we don’t think they’re worth having your email or your search history or now even your family photos data-mined and sold off for God knows what advertising purpose,” … “And we think someday, customers will see this for what it is.”

Don’t trust the evil!



Scary piwik findings – Update 3

Maybe not all of you know what Piwik is. It is very nice tool for website statistics. I like this tool especially because it offers features to hide and even don’t record visitors IP addresses and private information but still generates nice and good website statistics. So I would call it basically the opposite of Google Analytics.

Since Piwik is getting increasingly popular, many websites started using Piwik but like so often, even Piwik requires some basic understanding of PHP, Linux and Server security. Some website Admins seem to be blinded by the easy user interface and assume it is as easy to configure.

Obviously that’s not the case. There are several open (and more worse: half-done) Piwik Installations out there which can be accessed by anyone easily. Such installations are quite dangerous for the webadmin because they reveal a lot of important insight information about the server configuration and it will not take much to use such an installation to hijack a complete server.

You may wonder how such servers can be found. This is also quite easy and in that case Google is our friend (in other cases I would reject this statement vehemently). As mentioned some posts before, Google can be used to search for URLs with specific parameters if you prefix your search term with


so in case of Piwik you can enter

allinurl: "piwik/index.php"

Which will give you a list of websites where piwik is installed. It is funny alone to browse through these findings which often contains error backtraces and error logs.

I was even (not) more surprised that some installations even allowed anonymous access with admin privileges. To check for this, one just needs to add either either this:


or this


to the Google result list url right after


So for instance




There seems to be an issue with Piwik that it is possible to download statistics even if there is no view access. If you add


You will get a nice Excel or CSV file with the website details of Site=1 (change to any other number for additional websites).


I did contact the German “Piraten Partei” before I wrote this blog post. So far: no answer. Meanwhile they responded to the press that they intentionally left the Statistics open to the public. This is fair enough as there is nothing to hide.

However, two questions remain:

  1. why don’t they tell us that they are collecting our information (especially search queries, website referrals and exit sites) ? In their website disclaimer (even on Andrea Bogners website) they say “Eine Speicherung von Verbindungsdaten … erfolgt nicht” which means “we don’t store connection data” which is obviously wrong.
  2. If they intentionally left their Piwik stats accessible, why don’t they officially link to these stats. Is there just an elitist circle who had or has access to these stats ?


Please read this separate post for a further update.

Best Regards,