OSMand Live can steal your money

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

OSMand Live can steal your money

Darafei "Komяpa" Praliaskouski
Hi,

https://osmand.net/osm_live requests user's OSM password and e-mail in exchange of promise of bitcoin payment.

There is no way to check that the password is not being collected, with or without knowledge of service authors. At least 1100 accounts may be affected.

Simplest attack vector may be "if password matches on google drive of this e-mail and there's a backup of wallet there and password matches there too, get all the money from there".

What can be done on osm.org side to mitigate it?
Can password reset be forced for affected users, and for those who keep coming to that form?

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: OSMand Live can steal your money

Andy Allan
In general, I'd like to disable HTTP Basic Auth to our API, and only
use OAuth. This removes any need to share your OSM password with third
parties. However, developers often find it easier to build
integrations using basic auth, so I can imagine some opposition to
this.

Thanks,
Andy

On 12 January 2018 at 13:15, Darafei "Komяpa" Praliaskouski
<[hidden email]> wrote:

> Hi,
>
> https://osmand.net/osm_live requests user's OSM password and e-mail in
> exchange of promise of bitcoin payment.
>
> There is no way to check that the password is not being collected, with or
> without knowledge of service authors. At least 1100 accounts may be
> affected.
>
> Simplest attack vector may be "if password matches on google drive of this
> e-mail and there's a backup of wallet there and password matches there too,
> get all the money from there".
>
> What can be done on osm.org side to mitigate it?
> Can password reset be forced for affected users, and for those who keep
> coming to that form?
>
> _______________________________________________
> dev mailing list
> [hidden email]
> https://lists.openstreetmap.org/listinfo/dev
>

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: OSMand Live can steal your money

Ilya Zverev-2
In reply to this post by Darafei "Komяpa" Praliaskouski
I’d like to remind everyone that OsmAnd is an open app, with both mobile and webside code available on GitHub. The author would be grateful if anybody here updated the php code to use OAuth instead of login and password:


Ilya

12 янв. 2018 г., в 16:15, Darafei Komяpa Praliaskouski <[hidden email]> написал(а):

Hi,

https://osmand.net/osm_live requests user's OSM password and e-mail in exchange of promise of bitcoin payment.

There is no way to check that the password is not being collected, with or without knowledge of service authors. At least 1100 accounts may be affected.

Simplest attack vector may be "if password matches on google drive of this e-mail and there's a backup of wallet there and password matches there too, get all the money from there".

What can be done on osm.org side to mitigate it?
Can password reset be forced for affected users, and for those who keep coming to that form?
_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev


_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: OSMand Live can steal your money

Toby Murray-2
In reply to this post by Darafei "Komяpa" Praliaskouski
Well originally they weren't even using HTTPS for that form
submission. I opened an issue about it and at least HTTPS has been
implemented since then.

Issue: https://github.com/osmandapp/osmandapp.github.io/issues/37

Toby

On Fri, Jan 12, 2018 at 7:15 AM, Darafei "Komяpa" Praliaskouski
<[hidden email]> wrote:

> Hi,
>
> https://osmand.net/osm_live requests user's OSM password and e-mail in
> exchange of promise of bitcoin payment.
>
> There is no way to check that the password is not being collected, with or
> without knowledge of service authors. At least 1100 accounts may be
> affected.
>
> Simplest attack vector may be "if password matches on google drive of this
> e-mail and there's a backup of wallet there and password matches there too,
> get all the money from there".
>
> What can be done on osm.org side to mitigate it?
> Can password reset be forced for affected users, and for those who keep
> coming to that form?
>
> _______________________________________________
> dev mailing list
> [hidden email]
> https://lists.openstreetmap.org/listinfo/dev
>

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: OSMand Live can steal your money

Paul Norman
In reply to this post by Andy Allan
On 1/12/2018 6:03 AM, Andy Allan wrote:
> In general, I'd like to disable HTTP Basic Auth to our API, and only
> use OAuth. This removes any need to share your OSM password with third
> parties. However, developers often find it easier to build
> integrations using basic auth, so I can imagine some opposition to
> this.

Do we need some terms for the API covering this kind of stuff? Right now
it's not clear that a service that stores your OSM password server-side
is violating anything.

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: OSMand Live can steal your money

Darafei "Komяpa" Praliaskouski
In reply to this post by Andy Allan
What is needed to disable HTTP Basic Auth on the API?

пт, 12 янв. 2018 г. в 17:03, Andy Allan <[hidden email]>:
In general, I'd like to disable HTTP Basic Auth to our API, and only
use OAuth. This removes any need to share your OSM password with third
parties. However, developers often find it easier to build
integrations using basic auth, so I can imagine some opposition to
this.

Thanks,
Andy

On 12 January 2018 at 13:15, Darafei "Komяpa" Praliaskouski
<[hidden email]> wrote:
> Hi,
>
> https://osmand.net/osm_live requests user's OSM password and e-mail in
> exchange of promise of bitcoin payment.
>
> There is no way to check that the password is not being collected, with or
> without knowledge of service authors. At least 1100 accounts may be
> affected.
>
> Simplest attack vector may be "if password matches on google drive of this
> e-mail and there's a backup of wallet there and password matches there too,
> get all the money from there".
>
> What can be done on osm.org side to mitigate it?
> Can password reset be forced for affected users, and for those who keep
> coming to that form?
>
> _______________________________________________
> dev mailing list
> [hidden email]
> https://lists.openstreetmap.org/listinfo/dev
>

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev