Wednesday, November 28, 2012 - 07:40

Piwik 1.9.2 came with a backdoor and now ignores IE10 DNT headers

The 1.9.2 release of Piwik came - aside from a backdoor for some installations - with a nifty new feature. It ignores IE10's DoNotTrack settings completely and it also lies to you about it in the settings.

There's no option to disable this BS. You can only enable or disable DNT. But you cannot override the decision to ignore DNT with IE10. Well. That's unfortunate.

The changelog states the following

starting from Piwik 1.9.2, Do Not Track browser setting will be ignored for IE 10 browsers. Because all IE10 browsers have DNT enabled, we cannot afford not to record in Piwik all IE10. So we decided to ignore the DNT setting for all IE10 users.
Apparently it was too much to leave this decision to the website owner or to at least correct the statement made in the privacy section as that still claims this
When users have set their web browser to "I do not want to be tracked" (DoNotTrack is enabled) then Piwik will not track these visits.
Which is a blatant lie as Piwik ignores this for IE10 no matter what the users' actual intention may or may not be.

On top of that the update came with a little surprise for an unknown number of installations. For a period of a couple of hours their server distributed a package containing a backdoor. Apparently the attacker gained access to the server through a vulnerable Wordpress plugin. Now who would have guessed that?

A malicious package can be identified by following these instructions.