[Security, Critical] Piwik uses the MD5 of the password as a valid login token (!!) #8753

etjossem · 2015-09-11T00:06:28Z

It is possible to pass a username and a password which is the md5 hash of the user's actual password, and Piwik will treat it as valid.

Per docs:

If you want to provide a one-click automatic login to Piwik for your users, you can use the ‘logme’ mechanism, and pass their login & the md5 string of their password in the URL parameters...

If a user ever shares a password between Piwik and another MD5-hashing app, and a bad actor obtains a dump of the other app's hashes, their Piwik account will be compromised (even without any reverse hashing).

The text was updated successfully, but these errors were encountered:

mattab · 2015-09-14T20:45:33Z

Thanks @etjossem for the report.

Piwik works in this way by design so far. to resolve this issue properly is included in #5728 where we will improve the hashing algorithm and also provide a more secure logme mechanism.

etjossem mentioned this issue Sep 11, 2015

Passwords: use better algorithm than md5 hash, use salts and maintain BC #5728

Closed

mattab closed this as completed Sep 14, 2015

mattab added duplicate For issues that already existed in our issue tracker and were reported previously. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. labels Sep 14, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security, Critical] Piwik uses the MD5 of the password as a valid login token (!!) #8753

[Security, Critical] Piwik uses the MD5 of the password as a valid login token (!!) #8753

etjossem commented Sep 11, 2015

mattab commented Sep 14, 2015

[Security, Critical] Piwik uses the MD5 of the password as a valid login token (!!) #8753

[Security, Critical] Piwik uses the MD5 of the password as a valid login token (!!) #8753

Comments

etjossem commented Sep 11, 2015

mattab commented Sep 14, 2015