[Osmf-talk] OSMand Live can steal your money
Oleksiy Muzalyev
oleksiy.muzalyev at bluewin.ch
Sat Jan 13 13:01:45 UTC 2018
On Google account it is possible to activate two step authentication. So
that password alone is not enough to login. It takes only about 5
minutes to do it.
It makes sense to do it in any case. We know from the news that John
Podesta learned it hard way.
I also know personally a case when a Google account with a sufficiently
complicated password was still somehow logged-in by an outsider.
Best regards,
Oleksiy
OSM: Alex-7
On 12.01.18 14:15, Darafei "Komяpa" Praliaskouski wrote:
> Hi,
>
> https://osmand.net/osm_live requests user's OSM password and e-mail in
> exchange of promise of bitcoin payment.
>
> There is no way to check that the password is not being collected,
> with or without knowledge of service authors. At least 1100 accounts
> may be affected.
>
> Simplest attack vector may be "if password matches on google drive of
> this e-mail and there's a backup of wallet there and password matches
> there too, get all the money from there".
>
> What can be done on osm.org <http://osm.org> side to mitigate it?
> Can password reset be forced for affected users, and for those who
> keep coming to that form?
>
>
> _______________________________________________
> osmf-talk mailing list
> osmf-talk at openstreetmap.org
> https://lists.openstreetmap.org/listinfo/osmf-talk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/osmf-talk/attachments/20180113/35c04cfe/attachment.html>
More information about the osmf-talk
mailing list