Eh. The analytics data is pretty low value as far as hacker targets, and this can be mostly mitigated anyways by sane segregation of the admin backend from the publicly accessible site.
There's an open ticket for it, but it looks like it hasn't been addressed in a while since they don't want to break all existing passwords.
A low value target maybe, but having a critical security ticket open for seven years is unforgivable. If they don't want to break compatibility it's pretty simple: use something like PHPass and upgrade the hash when the user next logs in. i.e. what every halfway sensible web app did at least five years ago.
I'm not interesting in further dehumanizing myself with participation in a bug bounty program.
I'll write an exploit for it (the general case, not just Piwik in particular) and drop it on OSS Sec some day, but here's a theoretical attack:
1. Guess a username somehow. Maybe "admin"? Whatever, we're interested in the security of the hash function. Let's assume we have the username for our target.
2. Calculate a bunch of guess passwords, such that we have one hash output for each possible value for the first N hexits.
3. Send these guess passwords repeatedly and use timing information to get an educated guess on the first valid MD5 hash.
4. Iterate steps 2 and 3 until you have the first N bytes of the MD5 hash for the password.
5. Use offline methods to generate password guesses against a partial hash.
The end result: A timing attack that consequently allows an optimized offline guess. So even if their entire codebase is immune to SQL injection, you can still launch a semi-blind cracking attempt against them.
https://github.com/piwik/piwik/blob/7f375924db9328f20a0b7cb1...
https://github.com/piwik/piwik/blob/6846145992278b52a2a35a8f...