In general, I'd like to disable HTTP Basic Auth to our API, and only use OAuth. This removes any need to share your OSM password with third parties. However, developers often find it easier to build integrations using basic auth, so I can imagine some opposition to this.
Thanks, Andy On 12 January 2018 at 13:15, Darafei "Komяpa" Praliaskouski <m...@komzpa.net> wrote: > Hi, > > https://osmand.net/osm_live requests user's OSM password and e-mail in > exchange of promise of bitcoin payment. > > There is no way to check that the password is not being collected, with or > without knowledge of service authors. At least 1100 accounts may be > affected. > > Simplest attack vector may be "if password matches on google drive of this > e-mail and there's a backup of wallet there and password matches there too, > get all the money from there". > > What can be done on osm.org side to mitigate it? > Can password reset be forced for affected users, and for those who keep > coming to that form? > > _______________________________________________ > dev mailing list > dev@openstreetmap.org > https://lists.openstreetmap.org/listinfo/dev > _______________________________________________ dev mailing list dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/dev
