[Security, Critical] Piwik uses the MD5 of the password as a valid login token (!!) #8753
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
duplicate
For issues that already existed in our issue tracker and were reported previously.
It is possible to pass a username and a password which is the md5 hash of the user's actual password, and Piwik will treat it as valid.
Per docs:
If a user ever shares a password between Piwik and another MD5-hashing app, and a bad actor obtains a dump of the other app's hashes, their Piwik account will be compromised (even without any reverse hashing).
The text was updated successfully, but these errors were encountered: