[Osmf-talk] OSMand Live can steal your money

Yves yvecai at gmail.com
Fri Jan 12 21:36:20 UTC 2018


There's plenty of 0auth flows around the web. Basic auth should probably be disabled. 
Yves 

Le 12 janvier 2018 20:51:27 GMT+01:00, Ivo Stankov <ivo at e-stankov.com> a écrit :
>I agree that such practices should be confronted by the OSMF.
>
>An OAuth 2.0 flow should be the tool of choice for such usecases.
>
>Best,
>Ivo
>
>On 01/12/2018 02:15 PM, Darafei "Komяpa" Praliaskouski wrote:
>> Hi,
>> 
>> https://osmand.net/osm_live requests user's OSM password and e-mail
>in
>> exchange of promise of bitcoin payment.
>> 
>> There is no way to check that the password is not being collected,
>with
>> or without knowledge of service authors. At least 1100 accounts may
>be
>> affected.
>> 
>> Simplest attack vector may be "if password matches on google drive of
>> this e-mail and there's a backup of wallet there and password matches
>> there too, get all the money from there".
>> 
>> What can be done on osm.org <http://osm.org> side to mitigate it?
>> Can password reset be forced for affected users, and for those who
>keep
>> coming to that form?
>> 
>> 
>> _______________________________________________
>> osmf-talk mailing list
>> osmf-talk at openstreetmap.org
>> https://lists.openstreetmap.org/listinfo/osmf-talk
>> 
>
>_______________________________________________
>osmf-talk mailing list
>osmf-talk at openstreetmap.org
>https://lists.openstreetmap.org/listinfo/osmf-talk

Yves
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/osmf-talk/attachments/20180112/594d44df/attachment.html>


More information about the osmf-talk mailing list