Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF in user tracking #9041

Open
UnlockPrice opened this issue Oct 17, 2015 · 1 comment
Open

CSRF in user tracking #9041

UnlockPrice opened this issue Oct 17, 2015 · 1 comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.

Comments

@UnlockPrice
Copy link

  1. In piwik, admin can provide tracking optout option for users using iframe "http://demo.piwik.org/index.php?module=CoreAdminHome&action=optOut&language=en"
  2. If suppose attacker embeds the url and makes the user to execute the url "http://demo.piwik.org/index.php?module=CoreAdminHome&action=optOut&language=en&setCookieInNewWindow=1&showConfirmOnly=1", they will be tracked out from piwik analytics without their knowledge

Regards
Elamaran V
elamaran619@gmail.com

@mattab
Copy link
Member

mattab commented Nov 26, 2015

Thanks for the report @UnlockPrice !

@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Dec 23, 2015
@mattab mattab added this to the Short term milestone Dec 23, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Development

No branches or pull requests

2 participants