Working with Embedded Matomo Widgets

Kiusau · April 30, 2018, 2:55am

BACKGROUND: I recently loaded a Matomo widget from my 3rd party webserver to my local test server, and to my great surprise it worked. Reading the widget guide suggested, however,
that this is not possible without special user authorization.

QUESTION: Is it correct to assume that anyone can see the contents of a widget embedded on a webpage? If not, what must I do to make it possible?

Roddy

Lukas · April 30, 2018, 6:15am

Hi,

If view access to your website is enabled to anonymous users, everyone can see a widget. Otherwise you’ll need to add the access_token parameter.

But keep in mind that everyone with the access_token has full access to the corresponding user account.

Kiusau · April 30, 2018, 2:29pm

The MANUAL: “Users with the ‘view’ permission can view all reports in Matomo (Piwik) for the website(s) the user is set to ‘view’.”

A POSSIBLE CONSEQUENCE?: This suggests that once a widget is made visible on a website to anonymous visitors, anyone who understands page source can discover the location of the piwik.php file, and anyone who understands both page source and Matomo has full access to all the data available for a website via a Matomo widget. One has only to write the appropriate query string and voilá: the widget appears! Is this an accurate assessment?

MY DESIRE: What I would like to achieve is the following: Display a select number of widgets for anonymous visitors without giving access to my entire Matomo database to those visitors knowledgeable about the creation and use of Matomo widgets.

QUESTION: Is my desire even possible without having to write an AJAX call?

Roddy

Lukas · April 30, 2018, 2:44pm

Hi,

Your interpretation is correct and there is currently no way to limit which widgets a token can access.

There is a github issue about implementing this, but I can’t find it at the moment.

More info:

github.com/matomo-org/matomo

Hijacking user account via embedded widgets using token_auth

opened 08:47PM - 03 Jan 18 UTC

closed 07:38PM - 30 Mar 18 UTC

JanBartels

duplicate

I embed a Piwik-widget on an external site in an IFrame using the generated URL …by Piwik for example to display the list of pages: https://piwik.domain.tld/index.php?module=Widgetize&action=iframe&widget=1&moduleToWidgetize=Actions&actionToWidgetize=getPageUrls&idSite=2&period=range&date=last30&disableLink=1&widget=1&token_auth=xxx This works fine and the wanted widget is displayed correctly. But now every user of the embedding website is able to read this URL in the source code of the embedding website and modify it by removing the URL-parameter "&action=iframe" resulting in: https://piwik.domain.tld/index.php?module=Widgetize&widget=1&moduleToWidgetize=Actions&actionToWidgetize=getPageUrls&idSite=2&period=range&date=last30&disableLink=1&widget=1&token_auth=xxx Entering this modified URL into the browser the user is granted full access to Piwik including the UserManager. Thus, he is able to set a new password or generate new token_auth and take over full control over the user account. If a token_auth of an administrator-account was used, this leads to even worse problems. The token_auth, which should protect an account used for embedding widgets externally, is completely useless and raises a security issue IMHO. I haven't found any (user-)configuration preventing this scenario, yet. If there are any, please advice. The version of Piwik is 3.2.1.

github.com/matomo-org/matomo

Add support for app specific tokens

opened 04:39AM - 30 Oct 14 UTC

closed 03:04AM - 18 Mar 20 UTC

tsteur

Major Enhancement c: Security

It would be great if a user could create app specific passwords and revoke them …if needed. For instance you might want to create a new app specific password for each device when using the mobile app. If you ever lose a device (phone) you can simply revoke the password that you have used for this device but all other passwords would be still valid. You do not want to create a new user for the mobile app with a different password as you would have to sync/change the dashboards and ViewDataTable params for each user. Once we implement features like "Continuity" one would still benefit of those features. With "Continuity" I mean when opening the mobile app it could open the same website and report that you have accessed last on the desktop although different passwords are used etc. This would not be possible if someone had to create multiple users for each device. You might also want to generate app specific passwords for different servers that talk to the Piwik HTTP API etc. It will be also useful if we ever generate 2-factor authentication. App specific passwords would consist of an App name (eg PiwikMobileApp, or PythonClientWhatever), a device (eg PhoneXYZ or ServerXYZ) and a generated password. This password would be ideally quite long, eg 16 characters. Before someone can generate a new specific app password we should ask him for his actual password and only generate / or only let him manage his app passwords if the actual password is correct. Some systems that do support app specific passwords would not let you log in into the browser version (meaning regular Piwik login) with an app specific password but we would probably still do? * [ ] Store tokens / passwords hashed * [ ] Do no longer show them anywhere in the UI

Kiusau · April 30, 2018, 2:53pm

I was not thinking about using a token for specific users; rather, making VIEW available to anonymous users and then limiting their access to specific widgets. I can see, however, how this problem would apply to users both with a token and without.

OK. So, for the moment it is AJAX! Not a big deal, mind you, just a little more coding for users, a possible new project for Matomo.

Roddy

haroon · July 13, 2020, 6:53am

any development on this. what can be done so that visitors can only see what is embedded on the web page rather than having access to the dashboard. thanks

Kiusau · July 13, 2020, 7:11am

I gave up on Matomo accommodating this notion and created my own widgets using a combination of JavaScript libraries, PHP requests to Marino’s APIs, and AJAX.

haroon · July 13, 2020, 8:17am

hmm, I dont think this happened with piwik. I just accidentally deleted the old directory so had to install this all again and saw this issue. Do you think password protecting the matomo folder would help or it will clash with the matomo script too

haroon · July 13, 2020, 10:22am

just tried it doesn’t work. But I wonder if the matomo folder is password protected and the password is provided to the matomo script for its bots then it might work.