[OSM-dev] OSMand Live can steal your money
toby.murray at gmail.com
Fri Jan 12 17:02:41 UTC 2018
Well originally they weren't even using HTTPS for that form
submission. I opened an issue about it and at least HTTPS has been
implemented since then.
On Fri, Jan 12, 2018 at 7:15 AM, Darafei "Komяpa" Praliaskouski
<me at komzpa.net> wrote:
> https://osmand.net/osm_live requests user's OSM password and e-mail in
> exchange of promise of bitcoin payment.
> There is no way to check that the password is not being collected, with or
> without knowledge of service authors. At least 1100 accounts may be
> Simplest attack vector may be "if password matches on google drive of this
> e-mail and there's a backup of wallet there and password matches there too,
> get all the money from there".
> What can be done on osm.org side to mitigate it?
> Can password reset be forced for affected users, and for those who keep
> coming to that form?
> dev mailing list
> dev at openstreetmap.org
More information about the dev