Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Hijacking user account via embedded widgets using token_auth #12399
I embed a Piwik-widget on an external site in an IFrame using the generated URL by Piwik for example to display the list of pages:
This works fine and the wanted widget is displayed correctly. But now every user of the embedding website is able to read this URL in the source code of the embedding website and modify it by removing the URL-parameter "&action=iframe" resulting in:
Entering this modified URL into the browser the user is granted full access to Piwik including the UserManager. Thus, he is able to set a new password or generate new token_auth and take over full control over the user account. If a token_auth of an administrator-account was used, this leads to even worse problems. The token_auth, which should protect an account used for embedding widgets externally, is completely useless and raises a security issue IMHO.
I haven't found any (user-)configuration preventing this scenario, yet. If there are any, please advice.
The version of Piwik is 3.2.1.
Of course one would use a view only access for embedding widgets for general security reasons, but following the above steps can still lead to the situation where this account is hacked. When a new token_auth is generated it results in a failure of the embedded widgets.