[OSM-dev] OSMand Live can steal your money
Darafei "Komяpa" Praliaskouski
me at komzpa.net
Sun Jan 14 20:07:19 UTC 2018
What is needed to disable HTTP Basic Auth on the API?
пт, 12 янв. 2018 г. в 17:03, Andy Allan <gravitystorm at gmail.com>:
> In general, I'd like to disable HTTP Basic Auth to our API, and only
> use OAuth. This removes any need to share your OSM password with third
> parties. However, developers often find it easier to build
> integrations using basic auth, so I can imagine some opposition to
> this.
>
> Thanks,
> Andy
>
> On 12 January 2018 at 13:15, Darafei "Komяpa" Praliaskouski
> <me at komzpa.net> wrote:
> > Hi,
> >
> > https://osmand.net/osm_live requests user's OSM password and e-mail in
> > exchange of promise of bitcoin payment.
> >
> > There is no way to check that the password is not being collected, with
> or
> > without knowledge of service authors. At least 1100 accounts may be
> > affected.
> >
> > Simplest attack vector may be "if password matches on google drive of
> this
> > e-mail and there's a backup of wallet there and password matches there
> too,
> > get all the money from there".
> >
> > What can be done on osm.org side to mitigate it?
> > Can password reset be forced for affected users, and for those who keep
> > coming to that form?
> >
> > _______________________________________________
> > dev mailing list
> > dev at openstreetmap.org
> > https://lists.openstreetmap.org/listinfo/dev
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/dev/attachments/20180114/8ef69977/attachment.html>
More information about the dev
mailing list