What is needed to disable HTTP Basic Auth on the API? пт, 12 янв. 2018 г. в 17:03, Andy Allan <gravityst...@gmail.com>:
> In general, I'd like to disable HTTP Basic Auth to our API, and only > use OAuth. This removes any need to share your OSM password with third > parties. However, developers often find it easier to build > integrations using basic auth, so I can imagine some opposition to > this. > > Thanks, > Andy > > On 12 January 2018 at 13:15, Darafei "Komяpa" Praliaskouski > <m...@komzpa.net> wrote: > > Hi, > > > > https://osmand.net/osm_live requests user's OSM password and e-mail in > > exchange of promise of bitcoin payment. > > > > There is no way to check that the password is not being collected, with > or > > without knowledge of service authors. At least 1100 accounts may be > > affected. > > > > Simplest attack vector may be "if password matches on google drive of > this > > e-mail and there's a backup of wallet there and password matches there > too, > > get all the money from there". > > > > What can be done on osm.org side to mitigate it? > > Can password reset be forced for affected users, and for those who keep > > coming to that form? > > > > _______________________________________________ > > dev mailing list > > dev@openstreetmap.org > > https://lists.openstreetmap.org/listinfo/dev > > >
_______________________________________________ dev mailing list dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/dev
