Image credit: Piwik.
Widely-used open source web analytics platform Piwik has confirmed that hackers on Monday breached its piwik.org webserver and planted malicious code in the ZIP file containing its current software update.
Piwik confirmed the breach on Tuesday after users who had downloaded version 1.9.2 published concerns on its own forum and Full Disclosure that the update contained a possible backdoor.
“Piwik.org webserver got compromised by an attacker on 2012 Nov 26th, this attacker added a malicious code in the Piwik 1.9.2 Zip file for a few hours,” it said.
Created in 2007 by New Zealand-based French national Matthieu Aubry, the web analytics platform is currently used by 460,000 websites in 150 countries, according to Piwik.
It’s not known how many Piwik users have been affected, however Piwik said the malicious update was available for an eight hour period between Monday and Tuesday, depending on the location of the user.
“You would be at risk only if you installed or updated to Piwik 1.9.2 on Nov 26th from 15:43 UTC to 23:59 UTC,” Piwik said in a security update.
In Sydney, that would have been during the eight hours up to 10am Tuesday 27 November.
“If you are not using 1.9.2, or if you have updated to 1.9.2 earlier than Nov 26th 15:40 UTC or from Nov 27th, you should be safe.”
Infected Piwik installations would include the line "eval(gzuncompress(base64_decode('...", according to The H Security.
Piwik said the attackers used a “security issue” in a WordPress plugin to break into its piwik.org server, adding that it was not aware of any exploitable flaws in its own software.
Piwik’s blog post provides removal instructions.
It has denied that any personal data was lost in the “partial” webserver breach.