Maybe not all of you know what Piwik is. It is very nice tool for website statistics. I like this tool especially because it offers features to hide and even don’t record visitors IP addresses and private information but still generates nice and good website statistics. So I would call it basically the opposite of Google Analytics.
Since Piwik is getting increasingly popular, many websites started using Piwik but like so often, even Piwik requires some basic understanding of PHP, Linux and Server security. Some website Admins seem to be blinded by the easy user interface and assume it is as easy to configure.
Obviously that’s not the case. There are several open (and more worse: half-done) Piwik Installations out there which can be accessed by anyone easily. Such installations are quite dangerous for the webadmin because they reveal a lot of important insight information about the server configuration and it will not take much to use such an installation to hijack a complete server.
You may wonder how such servers can be found. This is also quite easy and in that case Google is our friend (in other cases I would reject this statement vehemently). As mentioned some posts before, Google can be used to search for URLs with specific parameters if you prefix your search term with
allinurl:
so in case of Piwik you can enter
allinurl: "piwik/index.php"
Which will give you a list of websites where piwik is installed. It is funny alone to browse through these findings which often contains error backtraces and error logs.
I was even (not) more surprised that some installations even allowed anonymous access with admin privileges. To check for this, one just needs to add either either this:
/index.php?module=UsersManager&action=anonymousSettings
or this
/index.php?module=Installation&action=systemCheckPage
to the Google result list url right after
.../piwik
So for instance
http://www-nice-website/piwik/index.php?...
becomes
http://www-nice-website/piwik/index.php?module=UsersManager&action=anonymousSettings
UPDATE 1:
There seems to be an issue with Piwik that it is possible to download statistics even if there is no view access. If you add
?module=API&method=Live.getLastVisitsDetails&idSite=1&period=month&date=2015-05-01&format=Tsv&token_auth=anonymous&expanded=1
You will get a nice Excel or CSV file with the website details of Site=1 (change to any other number for additional websites).
UPDATE 2:
I did contact the German “Piraten Partei” before I wrote this blog post. So far: no answer. Meanwhile they responded to the press that they intentionally left the Statistics open to the public. This is fair enough as there is nothing to hide.
However, two questions remain:
- why don’t they tell us that they are collecting our information (especially search queries, website referrals and exit sites) ? In their website disclaimer (even on Andrea Bogners website) they say “Eine Speicherung von Verbindungsdaten … erfolgt nicht” which means “we don’t store connection data” which is obviously wrong.
- If they intentionally left their Piwik stats accessible, why don’t they officially link to these stats. Is there just an elitist circle who had or has access to these stats ?
UPDATE 3:
Please read this separate post for a further update.
Best Regards,
Marcus