[OSM-talk] iD Security

phil at trigpoint.me.uk phil at trigpoint.me.uk
Tue Apr 21 15:27:06 UTC 2015



On Tue Apr 21 16:10:09 2015 GMT+0100, pmailkeey . wrote:
> On 21 April 2015 at 15:58, Serge Wroclawski <emacsen at gmail.com> wrote:
> 
> > Seeing the ticket, I think that the behavior here is what I'd expect
> > it to be, and what I think many people would expect as well.
> >
> > It doesn't seem like this is related to iD ignoring cookies, but about
> > how you were logged into an account and authorized iD to edit on
> > behalf of one of them. I'm not sure that iD could really be doing
> > anything radically different.
> >
> > This is no different than other sites which use cross site
> > authentication systems, ie Google, Facebook, etc.
> >
> > As for it being a security issue- if you logged out of osm.org before
> > authenticating yourself from iD, then yes, I see a potential serious
> > problem, but that's not what I see reported here.
> >
> > - Serge
> >
> >
> >
> So if I'm logged in to osm as FRED you think it's ok for iD to allow me to
> use DERF's account - as that is what happened.
> 
You really should not be logging into anything on a computer that has shared accounts. 

DERF and FRED should be using different windows / linux accounts. 

Phil (trigpoint)

-- 
Sent from my Jolla


More information about the talk mailing list