Again about Piwik

I thought this update deserves a separate post so here is the latest update to “Scary piwik findings“.

It seems my post regarding Piwik caused a lot of rumors and discussions.

Piwik contacted me yesterday with the following mail:

…Unfortunately, not all of the points mentioned are correct and we kindly ask you to issue a public correction, especially because your blog is a valued source of knowledge for many IT professionals. Below we present a short clarification of the two points raised in your article.

Firstly, all Piwik users have the possibility to make their analytics report data publicly accessible by anyone, but this is by no means a default setting. By default, all reports are protected and nobody can view the collected and analysed data without first signing in with a valid user account. It is, however, possible to make reports available to anyone – this feature was developed on purpose and is well-documented in Piwik’s FAQ. Some organisations, such as the Pirate Party mentioned in your publication, decide to make their analytics data open to anyone on purpose. This is mainly because their Piwik data may be of use to their communities.

Secondly, it’s true that some of the Piwik servers’ URLs can be discovered in search engines using allinurl: “piwik/index.php”. We would like to emphasise that this poses no security risk as Piwik, by default, protects all user data behind a login screen and there is no possibility of a data leak. Furthermore, an improvement will be developed by our community to tackle this issue (details: https://github.com/piwik/piwik/issues/6552)

And here is what I responded:

many thanks for your mail. I mainly agree to almost everything but not with all you wrote.

First of all, let me assure you that it was also not my intention to blame Piwik as I found it to be one of the (if not the) best statistics tools available, especially due to it’s possibility to generate stats without storing IP address information – as already mentioned in my blog.

I am usually referring to Piwik as “the opposite to Google Analytics” which I hope is a compliment.

I am aware and can confirm that the default settings of Piwik don’t allow unauthorized access to the stats per se.

However, my findings did indeed reveal security issues along with Piwik installations as follows:

When using these inurl: queries, you will find a lot of half-done or broken Piwik installations. The diagnostic messages that can be found are very helpful for the webmaster to fix the Piwik installation issues. However it is also very helpful for hackers as these diagnostic messages reveal the physical server directory structures, database names and I even saw DB user names entered by the webmaster. One example, why this is dangerous is the recent ProFTPD exploit for which a hacker will just need to know the physical directory structure in order to copy files to other location which can either be accessed from outside or files that contain information that, once overwritten, will no longer protect files or directories.

Second, even if the default settings of Piwik don’t allow anonymous access, it is scary to see so many installations where it is indeed possible. In most cases it is quite obvious that those installations are not intended to be open for the public and as mentioned in my blog, even if anonymous access has not been configured, in some cases it was possible to download the stats via the Piwik API. This at least sounds as there are webmasters who have issues with a correct configuration of Piwik.

Finally, the huge amount of wrong, mis-configured and unintentionally open Piwik installations surprises me. I can’t remember similar findings in similar cases like some years ago with phpBB.

Regarding the Pirate Party, they seem to have a communication issue as they are talking about different Piwik installations and they claim they are using Piwik since May 18. 2015 but their Stats start in 2011 and they forgot (still!) to update their disclaimers on the two mentioned websites. But that’s no security issue and not really worth to follow up. Just for clarification.

My suggestions to you are as follows:

    • It seems some Piwik installations used to be ok some time ago but for some reasons (maybe changes/updates on a server) seem to get broken. In such situations, I would suggest to not reveal server information on the Piwik Admin website.
    • In general, I would rather suggest storing such information in log-files instead of displaying them so that they can only be accessed with appropriate privileges.
    • I would suggest to split/separate the API URL from the Admisistration and Statistics URL. That would also support the use of .htaccess protection to the Admin and/or Statistics part of Piwik.
    • I would definitely recommend to add the noindex, nofollow metatags as mentioned in your blog but I would also suggest to place an initial robots.txt file on the webserver root if it doesn’t exist or add lines to it if it exists. Both at least hides Piwik from search engines (even though not all engines regard those but Google does and was the main source of my findings)
    • If one or all of the above would be too difficult or not yet possible, at least place some big warnings in your setup documentation or setup UI (like you already do for other purposes)

I really appreciate your efforts to improve security and privacy in Piwik.

This helps to create a better, more secure world.

Thanks again,

best regards,

Marcus