[OSM-dev] OSMand Live can steal your money
Andy Allan
gravitystorm at gmail.com
Fri Jan 12 14:03:20 UTC 2018
In general, I'd like to disable HTTP Basic Auth to our API, and only
use OAuth. This removes any need to share your OSM password with third
parties. However, developers often find it easier to build
integrations using basic auth, so I can imagine some opposition to
this.
Thanks,
Andy
On 12 January 2018 at 13:15, Darafei "Komяpa" Praliaskouski
<me at komzpa.net> wrote:
> Hi,
>
> https://osmand.net/osm_live requests user's OSM password and e-mail in
> exchange of promise of bitcoin payment.
>
> There is no way to check that the password is not being collected, with or
> without knowledge of service authors. At least 1100 accounts may be
> affected.
>
> Simplest attack vector may be "if password matches on google drive of this
> e-mail and there's a backup of wallet there and password matches there too,
> get all the money from there".
>
> What can be done on osm.org side to mitigate it?
> Can password reset be forced for affected users, and for those who keep
> coming to that form?
>
> _______________________________________________
> dev mailing list
> dev at openstreetmap.org
> https://lists.openstreetmap.org/listinfo/dev
>
More information about the dev
mailing list