Re: [OSM-dev] OSMand Live can steal your money

What is needed to disable HTTP Basic Auth on the API? пт, 12 янв. 2018 г. в 17:03, Andy Allan : > In general, I'd like to disable HTTP Basic Auth to our API, and only > use OAuth. This removes any need to share your OSM password with third > parties. However, developers

Re: [OSM-dev] OSMand Live can steal your money

On 1/12/2018 6:03 AM, Andy Allan wrote: In general, I'd like to disable HTTP Basic Auth to our API, and only use OAuth. This removes any need to share your OSM password with third parties. However, developers often find it easier to build integrations using basic auth, so I can imagine some

Re: [OSM-dev] OSMand Live can steal your money

Well originally they weren't even using HTTPS for that form submission. I opened an issue about it and at least HTTPS has been implemented since then. Issue: https://github.com/osmandapp/osmandapp.github.io/issues/37 Toby On Fri, Jan 12, 2018 at 7:15 AM, Darafei "Komяpa" Praliaskouski

Re: [OSM-dev] OSMand Live can steal your money

I’d like to remind everyone that OsmAnd is an open app, with both mobile and webside code available on GitHub. The author would be grateful if anybody here updated the php code to use OAuth instead of login and password: https://github.com/osmandapp/osmandapp.github.io/tree/master/website

Re: [OSM-dev] OSMand Live can steal your money

In general, I'd like to disable HTTP Basic Auth to our API, and only use OAuth. This removes any need to share your OSM password with third parties. However, developers often find it easier to build integrations using basic auth, so I can imagine some opposition to this. Thanks, Andy On 12

[OSM-dev] OSMand Live can steal your money

Hi, https://osmand.net/osm_live requests user's OSM password and e-mail in exchange of promise of bitcoin payment. There is no way to check that the password is not being collected, with or without knowledge of service authors. At least 1100 accounts may be affected. Simplest attack vector may