Well originally they weren't even using HTTPS for that form submission. I opened an issue about it and at least HTTPS has been implemented since then.
Issue: https://github.com/osmandapp/osmandapp.github.io/issues/37 Toby On Fri, Jan 12, 2018 at 7:15 AM, Darafei "Komяpa" Praliaskouski <[email protected]> wrote: > Hi, > > https://osmand.net/osm_live requests user's OSM password and e-mail in > exchange of promise of bitcoin payment. > > There is no way to check that the password is not being collected, with or > without knowledge of service authors. At least 1100 accounts may be > affected. > > Simplest attack vector may be "if password matches on google drive of this > e-mail and there's a backup of wallet there and password matches there too, > get all the money from there". > > What can be done on osm.org side to mitigate it? > Can password reset be forced for affected users, and for those who keep > coming to that form? > > _______________________________________________ > dev mailing list > [email protected] > https://lists.openstreetmap.org/listinfo/dev > _______________________________________________ dev mailing list [email protected] https://lists.openstreetmap.org/listinfo/dev
