Just to play devil’s advocate here, what could a malicious actor knowing the token_auth of a Piwik user possibly do with it?
I take that viewing of widgets and the dashboard is possible, as token_auth is used to show those in an iframe in an external site.
But would, e.g., any of the following be possible?
[li] Modifying the user’s dashboard (adding/removing widgets)
[/li][li] Change of the user’s settings (including password, e-mail address, etc.)
[/li][li] If the user is a super user - changes to Piwik administration, such as adding/removing users, changing users’ passwords, adding/removing sites, etc.
I’m assuming that “enable_framed_pages” and “enable_framed_settings” (see When included in an IFrame, Piwik reports do not load. How do I allow Piwik reports to load from within an iframe? - Analytics Platform - Matomo) are kept at their default values. Although I don’t know if they have only a frame-busting effect or actually restrict what can be accessed with a known token_auth.
The background for the question is work on a plugin for password encryption in Piwik - see 301 Moved Permanently. The token_auth will not be encrypted and could still be acquired logging Piwik communication.
Thanks in advance.