[Osmf-talk] OSMand Live can steal your money
Steve Friedl
steve at unixwiz.net
Fri Jan 12 23:27:11 UTC 2018
* Your OSM Account doesn't have access to your Bitcoins or bank account.
How many people reuse passwords across multiple services?
From: Jack David Baucum [mailto:maxolasersquad at gmail.com]
Sent: Friday, January 12, 2018 1:57 PM
To: Yves <yvecai at gmail.com>
Cc: osmf-talk at openstreetmap.org
Subject: Re: [Osmf-talk] OSMand Live can steal your money
This is a good catch. I've signed up for OSM-live and didn't even think about this when doing it. Ugh.
I don't see how they can steal your money, just your OSM account. Your OSM Account doesn't have access to your Bitcoins or bank account.
On Fri, Jan 12, 2018 at 4:39 PM Yves <yvecai at gmail.com <mailto:yvecai at gmail.com> > wrote:
There's plenty of 0auth flows around the web. Basic auth should probably be disabled.
Yves
Le 12 janvier 2018 20:51:27 GMT+01:00, Ivo Stankov <ivo at e-stankov.com <mailto:ivo at e-stankov.com> > a écrit :
I agree that such practices should be confronted by the OSMF.
An OAuth 2.0 flow should be the tool of choice for such usecases.
Best,
Ivo
On 01/12/2018 02:15 PM, Darafei "Komяpa" Praliaskouski wrote:
Hi,
https://osmand.net/osm_live requests user's OSM password and e-mail in
exchange of promise of bitcoin payment.
There is no way to check that the password is not being collected, with
or without knowledge of service authors. At least 1100 accounts may be
affected.
Simplest attack vector may be "if password matches on google drive of
this e-mail and there's a backup of wallet there and password matches
there too, get all the money from there".
What can be done on osm.org <http://osm.org> <http://osm.org> side to mitigate it?
Can password reset be forced for affected users, and for those who keep
coming to that form?
_____
osmf-talk mailing list
osmf-talk at openstreetmap.org <mailto:osmf-talk at openstreetmap.org>
https://lists.openstreetmap.org/listinfo/osmf-talk
_____
osmf-talk mailing list
osmf-talk at openstreetmap.org <mailto:osmf-talk at openstreetmap.org>
https://lists.openstreetmap.org/listinfo/osmf-talk
Yves
_______________________________________________
osmf-talk mailing list
osmf-talk at openstreetmap.org <mailto:osmf-talk at openstreetmap.org>
https://lists.openstreetmap.org/listinfo/osmf-talk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/osmf-talk/attachments/20180112/37a67602/attachment.html>
More information about the osmf-talk
mailing list