[Osmf-talk] OSMand Live can steal your money
Yves
yvecai at gmail.com
Fri Jan 12 21:36:20 UTC 2018
There's plenty of 0auth flows around the web. Basic auth should probably be disabled.
Yves
Le 12 janvier 2018 20:51:27 GMT+01:00, Ivo Stankov <ivo at e-stankov.com> a écrit :
>I agree that such practices should be confronted by the OSMF.
>
>An OAuth 2.0 flow should be the tool of choice for such usecases.
>
>Best,
>Ivo
>
>On 01/12/2018 02:15 PM, Darafei "Komяpa" Praliaskouski wrote:
>> Hi,
>>
>> https://osmand.net/osm_live requests user's OSM password and e-mail
>in
>> exchange of promise of bitcoin payment.
>>
>> There is no way to check that the password is not being collected,
>with
>> or without knowledge of service authors. At least 1100 accounts may
>be
>> affected.
>>
>> Simplest attack vector may be "if password matches on google drive of
>> this e-mail and there's a backup of wallet there and password matches
>> there too, get all the money from there".
>>
>> What can be done on osm.org <http://osm.org> side to mitigate it?
>> Can password reset be forced for affected users, and for those who
>keep
>> coming to that form?
>>
>>
>> _______________________________________________
>> osmf-talk mailing list
>> osmf-talk at openstreetmap.org
>> https://lists.openstreetmap.org/listinfo/osmf-talk
>>
>
>_______________________________________________
>osmf-talk mailing list
>osmf-talk at openstreetmap.org
>https://lists.openstreetmap.org/listinfo/osmf-talk
Yves
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/osmf-talk/attachments/20180112/594d44df/attachment.html>
More information about the osmf-talk
mailing list