Hackers planted backdoor in Piwik's web analytics update

Image credit: Piwik.

Widely-used open source web analytics platform Piwik has confirmed that hackers on Monday breached its piwik.org webserver and planted malicious code in the ZIP file containing its current software update.

Piwik confirmed the breach on Tuesday after users who had downloaded version 1.9.2 published concerns on its own forum and Full Disclosure that the update contained a possible backdoor.

Piwik.org webserver got compromised by an attacker on 2012 Nov 26th, this attacker  added a malicious code in the Piwik 1.9.2 Zip file for a few hours,” it said.

Created in 2007 by New Zealand-based French national Matthieu Aubry, the web analytics platform is currently used by 460,000 websites in 150 countries, according to Piwik.

It’s not known how many Piwik users have been affected, however Piwik said the malicious update was available for an eight hour period between Monday and Tuesday, depending on the location of the user.

“You would be at risk only if you installed or updated to Piwik 1.9.2 on Nov 26th from 15:43 UTC to 23:59 UTC,” Piwik said in a security update.

In Sydney, that would have been during the eight hours up to 10am Tuesday 27 November. 

“If you are not using 1.9.2, or if you have updated to 1.9.2 earlier than Nov 26th 15:40 UTC or from Nov 27th, you should be safe.”

Infected Piwik installations would include the line "eval(gzuncompress(base64_decode('...", according to The H Security.

Piwik said the attackers used a “security issue” in a WordPress plugin to break into its piwik.org server, adding that it was not aware of any exploitable flaws in its own software. 

Piwik’s blog post provides removal instructions.

It has denied that any personal data was lost in the “partial” webserver breach. 

Register or Login to continue

This article is only available for subscribers. Sign up now for free and get free access to premium content from ARN, CIO, CMO, and Computerworld.

Tags hackersbreachPiwikPiwik.orgmalicious codeWordpressweb analytics platform


Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Enterprise Security Suite

Comprehensive protection from your internet gateway to your mail and file servers, desktops, laptops, and mobile devices, fully integrated and centrally managed.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.