[OSM-talk] iD Security
phil at trigpoint.me.uk
phil at trigpoint.me.uk
Tue Apr 21 15:27:06 UTC 2015
On Tue Apr 21 16:10:09 2015 GMT+0100, pmailkeey . wrote:
> On 21 April 2015 at 15:58, Serge Wroclawski <emacsen at gmail.com> wrote:
>
> > Seeing the ticket, I think that the behavior here is what I'd expect
> > it to be, and what I think many people would expect as well.
> >
> > It doesn't seem like this is related to iD ignoring cookies, but about
> > how you were logged into an account and authorized iD to edit on
> > behalf of one of them. I'm not sure that iD could really be doing
> > anything radically different.
> >
> > This is no different than other sites which use cross site
> > authentication systems, ie Google, Facebook, etc.
> >
> > As for it being a security issue- if you logged out of osm.org before
> > authenticating yourself from iD, then yes, I see a potential serious
> > problem, but that's not what I see reported here.
> >
> > - Serge
> >
> >
> >
> So if I'm logged in to osm as FRED you think it's ok for iD to allow me to
> use DERF's account - as that is what happened.
>
You really should not be logging into anything on a computer that has shared accounts.
DERF and FRED should be using different windows / linux accounts.
Phil (trigpoint)
--
Sent from my Jolla
More information about the talk
mailing list