[OSM-dev] OSMand Live can steal your money

Toby Murray toby.murray at gmail.com
Fri Jan 12 17:02:41 UTC 2018

Well originally they weren't even using HTTPS for that form
submission. I opened an issue about it and at least HTTPS has been
implemented since then.

Issue: https://github.com/osmandapp/osmandapp.github.io/issues/37


On Fri, Jan 12, 2018 at 7:15 AM, Darafei "Komяpa" Praliaskouski
<me at komzpa.net> wrote:
> Hi,
> https://osmand.net/osm_live requests user's OSM password and e-mail in
> exchange of promise of bitcoin payment.
> There is no way to check that the password is not being collected, with or
> without knowledge of service authors. At least 1100 accounts may be
> affected.
> Simplest attack vector may be "if password matches on google drive of this
> e-mail and there's a backup of wallet there and password matches there too,
> get all the money from there".
> What can be done on osm.org side to mitigate it?
> Can password reset be forced for affected users, and for those who keep
> coming to that form?
> _______________________________________________
> dev mailing list
> dev at openstreetmap.org
> https://lists.openstreetmap.org/listinfo/dev

More information about the dev mailing list