You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.
Reporter: malenki [Submitted to the original trac issue database at 4.37pm, Monday, 15th November 2010]
While registering for an account at OSM, one has to type in a password twice. After that one gets an email with a link to verify the account to be created.
This link can be used by any third person (e.g. MITM) to verify the account and change the password without having to know the password chosen at registration time.
The text was updated successfully, but these errors were encountered:
Author: woodpeck [Added to the original trac issue at 4.58pm, Monday, 15th November 2010]
Please explain why this is a security risk.
Why should the "man in the middle" wait until you register an account, rather than simply registering an account in your name in the first place, something that has always been possible? What does the "man in the middle" gain from hijacking an account that hasn't been used yet and that won't be used in the future?
Author: TomH [Added to the original trac issue at 9.47pm, Monday, 15th November 2010]
I think the point here is that if somebody has gone to the trouble of either hacking into your email or somehow tapping your network traffic and extracting your email from it then they will have much more interesting things to look for in it than an OSM account confirmation email...
None the less I have made changes to block this by ensuring that new users are not automatically logged in unless they are using the same web browser used to create the account.
Reporter: malenki
[Submitted to the original trac issue database at 4.37pm, Monday, 15th November 2010]
While registering for an account at OSM, one has to type in a password twice. After that one gets an email with a link to verify the account to be created.
This link can be used by any third person (e.g. MITM) to verify the account and change the password without having to know the password chosen at registration time.
The text was updated successfully, but these errors were encountered: