[Osmf-talk] OSMand Live can steal your money

Jack David Baucum maxolasersquad at gmail.com
Fri Jan 12 21:56:48 UTC 2018 

This is a good catch. I've signed up for OSM-live and didn't even think
about this when doing it. Ugh.

I don't see how they can steal your money, just your OSM account. Your OSM
Account doesn't have access to your Bitcoins or bank account.

On Fri, Jan 12, 2018 at 4:39 PM Yves <yvecai at gmail.com> wrote:

> There's plenty of 0auth flows around the web. Basic auth should probably
> be disabled.
> Yves
>
> Le 12 janvier 2018 20:51:27 GMT+01:00, Ivo Stankov <ivo at e-stankov.com> a
> écrit :
>
>> I agree that such practices should be confronted by the OSMF.
>>
>> An OAuth 2.0 flow should be the tool of choice for such usecases.
>>
>> Best,
>> Ivo
>>
>> On 01/12/2018 02:15 PM, Darafei "Komяpa" Praliaskouski wrote:
>>
>>  Hi,
>>>
>>>  https://osmand.net/osm_live requests user's OSM password and e-mail in
>>>  exchange of promise of bitcoin payment.
>>>
>>>  There is no way to check that the password is not being collected, with
>>>  or without knowledge of service authors. At least 1100 accounts may be
>>>  affected.
>>>
>>>  Simplest attack vector may be "if password matches on google drive of
>>>  this e-mail and there's a backup of wallet there and password matches
>>>  there too, get all the money from there".
>>>
>>>  What can be done on osm.org <http://osm.org> side to mitigate it?
>>>  Can password reset be forced for affected users, and for those who keep
>>>  coming to that form?
>>>
>>>
>>> ------------------------------
>>>
>>>  osmf-talk mailing list
>>>  osmf-talk at openstreetmap.org
>>>  https://lists.openstreetmap.org/listinfo/osmf-talk
>>>
>>>
>> ------------------------------
>>
>> osmf-talk mailing list
>> osmf-talk at openstreetmap.org
>> https://lists.openstreetmap.org/listinfo/osmf-talk
>>
>>
> Yves
> _______________________________________________
> osmf-talk mailing list
> osmf-talk at openstreetmap.org
> https://lists.openstreetmap.org/listinfo/osmf-talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/osmf-talk/attachments/20180112/5e2cb6c5/attachment.html>

More information about the osmf-talk mailing list