[Osmf-talk] OSMand Live can steal your money
Darafei "Komяpa" Praliaskouski
me at komzpa.net
Fri Jan 12 13:15:00 UTC 2018
Hi,
https://osmand.net/osm_live requests user's OSM password and e-mail in
exchange of promise of bitcoin payment.
There is no way to check that the password is not being collected, with or
without knowledge of service authors. At least 1100 accounts may be
affected.
Simplest attack vector may be "if password matches on google drive of this
e-mail and there's a backup of wallet there and password matches there too,
get all the money from there".
What can be done on osm.org side to mitigate it?
Can password reset be forced for affected users, and for those who keep
coming to that form?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/osmf-talk/attachments/20180112/cac175da/attachment.html>
More information about the osmf-talk
mailing list