[OSM-dev] OSMand Live can steal your money
Toby Murray
toby.murray at gmail.com
Fri Jan 12 17:02:41 UTC 2018
Well originally they weren't even using HTTPS for that form
submission. I opened an issue about it and at least HTTPS has been
implemented since then.
Issue: https://github.com/osmandapp/osmandapp.github.io/issues/37
Toby
On Fri, Jan 12, 2018 at 7:15 AM, Darafei "Komяpa" Praliaskouski
<me at komzpa.net> wrote:
> Hi,
>
> https://osmand.net/osm_live requests user's OSM password and e-mail in
> exchange of promise of bitcoin payment.
>
> There is no way to check that the password is not being collected, with or
> without knowledge of service authors. At least 1100 accounts may be
> affected.
>
> Simplest attack vector may be "if password matches on google drive of this
> e-mail and there's a backup of wallet there and password matches there too,
> get all the money from there".
>
> What can be done on osm.org side to mitigate it?
> Can password reset be forced for affected users, and for those who keep
> coming to that form?
>
> _______________________________________________
> dev mailing list
> dev at openstreetmap.org
> https://lists.openstreetmap.org/listinfo/dev
>
More information about the dev
mailing list