Forums » General discussion



On-site analytics widget not secure

Hi,
So far, I've really enjoyed clicky, but I have discovered something that hasn't made me very happy.

I have the on-site analytics widget enabled, which I love. However, if a user creates an account on my self-hosted Wordpress website (for example, to post to my forum or to leave a comment), the clicky Widget is visible to them.

I discovered this when I created a fake "role-play" type account for my forum. My fake account was created with the standard preferences, which meant that many of the WP website features weren't available to it.

However, my fake user could not only see the Clicky on-site badge but could click on the badge and have it launch my clicky website page (e.g., dashboard!)!!

I don't want random people accessing my clicky page, seeing my web stats, or seeing my user ID. This feels like one close step to somebody being able to access my credit card numbers.

I haven't fully tested this but I was signed out of my WP admin account and only signed in with the fake forum account, so my expectation is that the Clicky badge wouldn't be visible.

I'm not going to run through a full test scenario of logging in and out, etc. I want you to explain the behavior to me. If this is a security hole, I expect you to let me know and I'll remove the plug-in for now.

I'm assuming this isn't the case and perhaps your plug-in relies on cookies and not logins, but I wasn't very happy when I noticed this behavior.

Posted Sun Feb 16 2014 10:27a by Sarahbv1***


This seems to have change now Sarah, I noticed this a couple of months ago however I using Blogspot. The past couple of months been using dynamic views so forgot about this widget.

Posted Sun Feb 16 2014 1:08p by stijb***


The on-site analytics is not based on YOUR account on YOUR site, it is based on YOUR account on Clicky. If you're logged in and the cookie reads true that you're logged into Clicky, you will see the on-site analytics. If you're not logged in to Clicky and the cookie is not set then you don't see the analytics, therefore visitors are not seeing your analytics ;)

Posted Mon Feb 17 2014 4:57a by ringo***


Yeah it's based on your Clicky login. Try doing what you did from a different computer that you've never used to login to Clicky. You won't see the widget!

Posted Mon Feb 17 2014 8:07a by Your Friendly Clicky Admin


I used clicky for a week or two and then it stopped working ???

Posted Thu Feb 20 2014 2:24p by show123***


You must be logged in to your account to post!