After discussing with Matthieu Aubry. The original report:
PIWIK version: Piwik 1.12
The risk of leaking a token_auth is very high, which leads to the complete compromise of the account.
The documentation clearly states that the token_auth is like a password and it should be handled as such. Unfortunately the application doesn't do so. In the same way as passwords are not shown on pages, they shouldn't ever sent back to the client, token_auth should be disclosed in any way.
At the moment token_auths are shown on pages (at least on the admin's users page), stored in hidden input fields in forms, thus, sent in requests. This could potentially lead to the leakage of the token_auth in browser cache, proxy cache.
Although the browser cache can be controlled from the server, but it is not trivial and very much depends on the type of the browser what will it do. If it saves the responses, then an attacker can steal token_auths either by accessing the cache from the browser, or stealing the cache from the filesystem.
It was shown that a response with token_auth has been saved in the browser's memory cache. This means that if an attacker has access to a browser that was used to browse PIWIK recently, then he can steal the token_auth. Since not every occurrence of the token_auth was tested it is also possible that some responses would also be saved on the disk.
The token_auth should never be disclosed as passwords are not disclosed either.
Attachment: Cached response
Attachment: token_auth in cached response
Thank you for the suggestion. The way Piwik UI works at present is that it gets the token from the page, to use to sign the API request (the Piwik UI calls the API in the controller, or directly via ajax).
when we hide the token from the response as per this ticket, we will need a new way to authenticate to the API. Simply allowing API to read the current cookie/session would not work as it would open Piwik to CSRF if used logged in....?
proposal: we could change API authentication so it does not require token_auth, but can also be authenticated using a special token / Nonce, that will be valid only for this session.
Is this maybe now fixed with the App passwords https://github.com/matomo-org/matomo/issues/6559 ?