[Osmf-talk] OSMand Live can steal your money
Ivo Stankov
ivo at e-stankov.com
Fri Jan 12 19:51:27 UTC 2018
I agree that such practices should be confronted by the OSMF.
An OAuth 2.0 flow should be the tool of choice for such usecases.
Best,
Ivo
On 01/12/2018 02:15 PM, Darafei "Komяpa" Praliaskouski wrote:
> Hi,
>
> https://osmand.net/osm_live requests user's OSM password and e-mail in
> exchange of promise of bitcoin payment.
>
> There is no way to check that the password is not being collected, with
> or without knowledge of service authors. At least 1100 accounts may be
> affected.
>
> Simplest attack vector may be "if password matches on google drive of
> this e-mail and there's a backup of wallet there and password matches
> there too, get all the money from there".
>
> What can be done on osm.org <http://osm.org> side to mitigate it?
> Can password reset be forced for affected users, and for those who keep
> coming to that form?
>
>
> _______________________________________________
> osmf-talk mailing list
> osmf-talk at openstreetmap.org
> https://lists.openstreetmap.org/listinfo/osmf-talk
>
More information about the osmf-talk
mailing list