Insecure Automatic Update #2146
Labels
duplicate
For issues that already existed in our issue tracker and were reported previously.
Enhancement
For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Milestone
Right now, the automated update doesn't appear to check the authenticity of the zip. It would be straightforward in some networks to alias the piwik.org domain to some malicious machine containing a compromised zip. Some options are to download only via https, or verify a GnuPG detached signature with it.
The text was updated successfully, but these errors were encountered: