[OSM-talk] iD Security

pmailkeey . pmailkeey at googlemail.com
Tue Apr 21 15:10:09 UTC 2015


On 21 April 2015 at 15:58, Serge Wroclawski <emacsen at gmail.com> wrote:

> Seeing the ticket, I think that the behavior here is what I'd expect
> it to be, and what I think many people would expect as well.
>
> It doesn't seem like this is related to iD ignoring cookies, but about
> how you were logged into an account and authorized iD to edit on
> behalf of one of them. I'm not sure that iD could really be doing
> anything radically different.
>
> This is no different than other sites which use cross site
> authentication systems, ie Google, Facebook, etc.
>
> As for it being a security issue- if you logged out of osm.org before
> authenticating yourself from iD, then yes, I see a potential serious
> problem, but that's not what I see reported here.
>
> - Serge
>
>
>
So if I'm logged in to osm as FRED you think it's ok for iD to allow me to
use DERF's account - as that is what happened.

-- 
Mike.
@millomweb <https://sites.google.com/site/millomweb/index/introduction> -
For all your info on Millom and South Copeland
via *the area's premier website - *

*currently unavailable due to ongoing harassment of me, my family, property
& pets*

T&Cs <https://sites.google.com/site/pmailkeey/e-mail>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/talk/attachments/20150421/80b60c94/attachment.html>


More information about the talk mailing list