Anonymous user access doesn't send any security alerts or require password verification #19607

c: Security 5.1.0 5.1.0
@Starker3 opened this Issue on August 8th 2022 Contributor

There is currently no security alert sent when the anonymous user is enabled for a Matomo instance. It also doesn't require a password for verification.

This means that any user that can set access for user accounts for a site/measurable could enable it without properly reading the warning and allow public access to their reports.

It would be good from a security perspective to do the following:

  1. Send an email alert to all super users that the anonymous user has been given access to site(s)
  2. Require password verification (There is already a popup, but this can be clicked without needing a password)
  3. Potentially send an email notification once a week/month to super users as a scheduled task so that they are reminded that their reports are publicly accessible.
    This would be useful for people who already have the anonymous user active and wouldn't have got the security alert.
@sgiehl commented on August 12th 2022 Member

Would you mind defining what the expected behavior should be when selecting multiple users (including anonymous) in the list and giving all view access at once? Currently not even the additional access warning is shown in that case.

@tsteur commented on August 14th 2022 Member

FYI it's actually too easy to give an anonymous user view access by accident. Especially using the multi select. Maybe an anonymous user cannot be enabled in the UI along with other users in the future?

And/or maybe ideally the anonymous user wouldn't appear in the users list until specifically enabled to appear there. We could always show eg this menu item:

image

and have a setting to enable/disable the anonymous user setting feature (just a random example).

image

Just few ideas.

@peterhashair commented on November 6th 2022 Contributor

Just confirm the changes for this issue. @mattab @tsteur

  • Have a separate setting page for anonymous user to enable/disable, require password confirmation on change.
  • Remove anonymous user from the user manage page

Question:

  • Do we need @Javi-Ormaechea to confirm the changes, due to a UI update?
  • Do we still send emails to the super admin when anonymous user access is being changed?
@justinvelluppillai commented on November 8th 2022 Member

@mattab can you please offer your thoughts on @peterhashair's approach and questions here?

@mattab commented on November 9th 2022 Member

Additionally:

  • Ask for password confirmation when Enabling the anonymous user in the new screen
  • Send an email to all Super Users to notify them that this website was made public to anonymous

The proposed new screen (inspired by https://user-images.githubusercontent.com/273120/184553332-1de9f682-9e77-4f1a-93d6-3863d84aa9dc.png) & email message microcopy will be provided by @Javi-Ormaechea shortly

@peterhashair commented on November 13th 2022 Contributor

@mattab any update on this?

Home | Back
Powered by GitHub Issue Mirror
Privacy Policy