Hackers planted backdoor in Piwik's web analytics update


Image credit: Piwik.

Widely-used open source web analytics platform Piwik has confirmed that hackers on Monday breached its piwik.org webserver and planted malicious code in the ZIP file containing its current software update.

Piwik confirmed the breach on Tuesday after users who had downloaded version 1.9.2 published concerns on its own forum and Full Disclosure that the update contained a possible backdoor.

Piwik.org webserver got compromised by an attacker on 2012 Nov 26th, this attacker  added a malicious code in the Piwik 1.9.2 Zip file for a few hours,” it said.

Created in 2007 by New Zealand-based French national Matthieu Aubry, the web analytics platform is currently used by 460,000 websites in 150 countries, according to Piwik.

It’s not known how many Piwik users have been affected, however Piwik said the malicious update was available for an eight hour period between Monday and Tuesday, depending on the location of the user.

“You would be at risk only if you installed or updated to Piwik 1.9.2 on Nov 26th from 15:43 UTC to 23:59 UTC,” Piwik said in a security update.

In Sydney, that would have been during the eight hours up to 10am Tuesday 27 November. 

“If you are not using 1.9.2, or if you have updated to 1.9.2 earlier than Nov 26th 15:40 UTC or from Nov 27th, you should be safe.”

Infected Piwik installations would include the line "eval(gzuncompress(base64_decode('...", according to The H Security.

Piwik said the attackers used a “security issue” in a WordPress plugin to break into its piwik.org server, adding that it was not aware of any exploitable flaws in its own software. 

Piwik’s blog post provides removal instructions.

It has denied that any personal data was lost in the “partial” webserver breach. 

Register or Login to continue

This article is only available for subscribers. Sign up now for free and get free access to premium content from ARN, CIO, and Computerworld.

Comments are now closed.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: hackers, breach, Piwik, Piwik.org, Wordpress, malicious code, web analytics platform
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Audit Management Solutions

Manage the complete audit lifecycle from audit universe identification and risk assessment to management/board reporting and quality assurance.

more »

Submit your own security event

Submit your training courses

Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.

Read More
more »