New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hijacking user account via embedded widgets using token_auth #12399

Closed
JanBartels opened this Issue Jan 3, 2018 · 4 comments

Comments

Projects
None yet
3 participants
@JanBartels

JanBartels commented Jan 3, 2018

I embed a Piwik-widget on an external site in an IFrame using the generated URL by Piwik for example to display the list of pages:

https://piwik.domain.tld/index.php?module=Widgetize&action=iframe&widget=1&moduleToWidgetize=Actions&actionToWidgetize=getPageUrls&idSite=2&period=range&date=last30&disableLink=1&widget=1&token_auth=xxx

This works fine and the wanted widget is displayed correctly. But now every user of the embedding website is able to read this URL in the source code of the embedding website and modify it by removing the URL-parameter "&action=iframe" resulting in:

https://piwik.domain.tld/index.php?module=Widgetize&widget=1&moduleToWidgetize=Actions&actionToWidgetize=getPageUrls&idSite=2&period=range&date=last30&disableLink=1&widget=1&token_auth=xxx

Entering this modified URL into the browser the user is granted full access to Piwik including the UserManager. Thus, he is able to set a new password or generate new token_auth and take over full control over the user account. If a token_auth of an administrator-account was used, this leads to even worse problems. The token_auth, which should protect an account used for embedding widgets externally, is completely useless and raises a security issue IMHO.

I haven't found any (user-)configuration preventing this scenario, yet. If there are any, please advice.

The version of Piwik is 3.2.1.

@sgiehl

This comment has been minimized.

Show comment
Hide comment
@sgiehl

sgiehl Jan 3, 2018

Member

No there is no way to circumvent. For embedding widgets / dashboards we recommend accounts with view only access.
We hope to improve that by introducing app specific tokens in #6559

Member

sgiehl commented Jan 3, 2018

No there is no way to circumvent. For embedding widgets / dashboards we recommend accounts with view only access.
We hope to improve that by introducing app specific tokens in #6559

@JanBartels

This comment has been minimized.

Show comment
Hide comment
@JanBartels

JanBartels Jan 3, 2018

Of course one would use a view only access for embedding widgets for general security reasons, but following the above steps can still lead to the situation where this account is hacked. When a new token_auth is generated it results in a failure of the embedded widgets.

JanBartels commented Jan 3, 2018

Of course one would use a view only access for embedding widgets for general security reasons, but following the above steps can still lead to the situation where this account is hacked. When a new token_auth is generated it results in a failure of the embedded widgets.

@tsteur

This comment has been minimized.

Show comment
Hide comment
@tsteur

tsteur Jan 17, 2018

Member

As @sgiehl mentioned this is currently by design and you should not embed the widget into a public website if you don't want all the data to be public. Giving view access to only one report / widget is currently not supported.

Member

tsteur commented Jan 17, 2018

As @sgiehl mentioned this is currently by design and you should not embed the widget into a public website if you don't want all the data to be public. Giving view access to only one report / widget is currently not supported.

@sgiehl

This comment has been minimized.

Show comment
Hide comment
@sgiehl

sgiehl Mar 30, 2018

Member

closing in favor of #6559

Member

sgiehl commented Mar 30, 2018

closing in favor of #6559

@sgiehl sgiehl closed this Mar 30, 2018

@sgiehl sgiehl added the duplicate label Mar 30, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment