[OSM-dev] OSMand Live can steal your money
Ilya Zverev
ilya at zverev.info
Fri Jan 12 14:21:52 UTC 2018
I’d like to remind everyone that OsmAnd is an open app, with both mobile and webside code available on GitHub. The author would be grateful if anybody here updated the php code to use OAuth instead of login and password:
https://github.com/osmandapp/osmandapp.github.io/tree/master/website <https://github.com/osmandapp/osmandapp.github.io/tree/master/website>
Ilya
> 12 янв. 2018 г., в 16:15, Darafei Komяpa Praliaskouski <me at komzpa.net> написал(а):
>
> Hi,
>
> https://osmand.net/osm_live <https://osmand.net/osm_live> requests user's OSM password and e-mail in exchange of promise of bitcoin payment.
>
> There is no way to check that the password is not being collected, with or without knowledge of service authors. At least 1100 accounts may be affected.
>
> Simplest attack vector may be "if password matches on google drive of this e-mail and there's a backup of wallet there and password matches there too, get all the money from there".
>
> What can be done on osm.org <http://osm.org/> side to mitigate it?
> Can password reset be forced for affected users, and for those who keep coming to that form?
> _______________________________________________
> dev mailing list
> dev at openstreetmap.org
> https://lists.openstreetmap.org/listinfo/dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/dev/attachments/20180112/0685dcc8/attachment.html>
More information about the dev
mailing list