Re: [OSM-dev] OSMand Live can steal your money

2018-01-14 Thread Komяpa 
What is needed to disable HTTP Basic Auth on the API?

пт, 12 янв. 2018 г. в 17:03, Andy Allan :

> In general, I'd like to disable HTTP Basic Auth to our API, and only
> use OAuth. This removes any need to share your OSM password with third
> parties. However, developers often find it easier to build
> integrations using basic auth, so I can imagine some opposition to
> this.
>
> Thanks,
> Andy
>
> On 12 January 2018 at 13:15, Darafei "Komяpa" Praliaskouski
>  wrote:
> > Hi,
> >
> > https://osmand.net/osm_live requests user's OSM password and e-mail in
> > exchange of promise of bitcoin payment.
> >
> > There is no way to check that the password is not being collected, with
> or
> > without knowledge of service authors. At least 1100 accounts may be
> > affected.
> >
> > Simplest attack vector may be "if password matches on google drive of
> this
> > e-mail and there's a backup of wallet there and password matches there
> too,
> > get all the money from there".
> >
> > What can be done on osm.org side to mitigate it?
> > Can password reset be forced for affected users, and for those who keep
> > coming to that form?
> >
> > ___
> > dev mailing list
> > dev@openstreetmap.org
> > https://lists.openstreetmap.org/listinfo/dev
> >
>
___
dev mailing list
dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/dev

Re: [OSM-dev] OSMand Live can steal your money

2018-01-12 Thread Paul Norman 

On 1/12/2018 6:03 AM, Andy Allan wrote:

In general, I'd like to disable HTTP Basic Auth to our API, and only
use OAuth. This removes any need to share your OSM password with third
parties. However, developers often find it easier to build
integrations using basic auth, so I can imagine some opposition to
this.


Do we need some terms for the API covering this kind of stuff? Right now 
it's not clear that a service that stores your OSM password server-side 
is violating anything.


___
dev mailing list
dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/dev

Re: [OSM-dev] OSMand Live can steal your money

2018-01-12 Thread Toby Murray 
Well originally they weren't even using HTTPS for that form
submission. I opened an issue about it and at least HTTPS has been
implemented since then.

Issue: https://github.com/osmandapp/osmandapp.github.io/issues/37

Toby

On Fri, Jan 12, 2018 at 7:15 AM, Darafei "Komяpa" Praliaskouski
 wrote:
> Hi,
>
> https://osmand.net/osm_live requests user's OSM password and e-mail in
> exchange of promise of bitcoin payment.
>
> There is no way to check that the password is not being collected, with or
> without knowledge of service authors. At least 1100 accounts may be
> affected.
>
> Simplest attack vector may be "if password matches on google drive of this
> e-mail and there's a backup of wallet there and password matches there too,
> get all the money from there".
>
> What can be done on osm.org side to mitigate it?
> Can password reset be forced for affected users, and for those who keep
> coming to that form?
>
> ___
> dev mailing list
> dev@openstreetmap.org
> https://lists.openstreetmap.org/listinfo/dev
>

___
dev mailing list
dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/dev

Re: [OSM-dev] OSMand Live can steal your money

2018-01-12 Thread Ilya Zverev 
I’d like to remind everyone that OsmAnd is an open app, with both mobile and 
webside code available on GitHub. The author would be grateful if anybody here 
updated the php code to use OAuth instead of login and password:

https://github.com/osmandapp/osmandapp.github.io/tree/master/website 


Ilya

> 12 янв. 2018 г., в 16:15, Darafei Komяpa Praliaskouski  
> написал(а):
> 
> Hi,
> 
> https://osmand.net/osm_live  requests user's OSM 
> password and e-mail in exchange of promise of bitcoin payment.
> 
> There is no way to check that the password is not being collected, with or 
> without knowledge of service authors. At least 1100 accounts may be affected.
> 
> Simplest attack vector may be "if password matches on google drive of this 
> e-mail and there's a backup of wallet there and password matches there too, 
> get all the money from there".
> 
> What can be done on osm.org  side to mitigate it?
> Can password reset be forced for affected users, and for those who keep 
> coming to that form?
> ___
> dev mailing list
> dev@openstreetmap.org
> https://lists.openstreetmap.org/listinfo/dev

___
dev mailing list
dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/dev

Re: [OSM-dev] OSMand Live can steal your money

2018-01-12 Thread Andy Allan 
In general, I'd like to disable HTTP Basic Auth to our API, and only
use OAuth. This removes any need to share your OSM password with third
parties. However, developers often find it easier to build
integrations using basic auth, so I can imagine some opposition to
this.

Thanks,
Andy

On 12 January 2018 at 13:15, Darafei "Komяpa" Praliaskouski
 wrote:
> Hi,
>
> https://osmand.net/osm_live requests user's OSM password and e-mail in
> exchange of promise of bitcoin payment.
>
> There is no way to check that the password is not being collected, with or
> without knowledge of service authors. At least 1100 accounts may be
> affected.
>
> Simplest attack vector may be "if password matches on google drive of this
> e-mail and there's a backup of wallet there and password matches there too,
> get all the money from there".
>
> What can be done on osm.org side to mitigate it?
> Can password reset be forced for affected users, and for those who keep
> coming to that form?
>
> ___
> dev mailing list
> dev@openstreetmap.org
> https://lists.openstreetmap.org/listinfo/dev
>

___
dev mailing list
dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/dev

[OSM-dev] OSMand Live can steal your money

2018-01-12 Thread Komяpa 
Hi,

https://osmand.net/osm_live requests user's OSM password and e-mail in
exchange of promise of bitcoin payment.

There is no way to check that the password is not being collected, with or
without knowledge of service authors. At least 1100 accounts may be
affected.

Simplest attack vector may be "if password matches on google drive of this
e-mail and there's a backup of wallet there and password matches there too,
get all the money from there".

What can be done on osm.org side to mitigate it?
Can password reset be forced for affected users, and for those who keep
coming to that form?
___
dev mailing list
dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/dev