Skip to content
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.

security issue during registering new account at OSM #3337

Closed
openstreetmap-trac opened this issue Jul 23, 2021 · 4 comments
Closed

security issue during registering new account at OSM #3337

openstreetmap-trac opened this issue Jul 23, 2021 · 4 comments

Comments

@openstreetmap-trac
Copy link

Reporter: malenki
[Submitted to the original trac issue database at 4.37pm, Monday, 15th November 2010]

While registering for an account at OSM, one has to type in a password twice. After that one gets an email with a link to verify the account to be created.

This link can be used by any third person (e.g. MITM) to verify the account and change the password without having to know the password chosen at registration time.

@openstreetmap-trac
Copy link
Author

Author: woodpeck
[Added to the original trac issue at 4.58pm, Monday, 15th November 2010]

Please explain why this is a security risk.

Why should the "man in the middle" wait until you register an account, rather than simply registering an account in your name in the first place, something that has always been possible? What does the "man in the middle" gain from hijacking an account that hasn't been used yet and that won't be used in the future?

@openstreetmap-trac
Copy link
Author

Author: malenki
[Added to the original trac issue at 5.04pm, Monday, 15th November 2010]

I am not the one creating exploits nor am I evil enough what people would/could do with some issues I just stumble over them.

At least the possibility to change the password without having to tell the recent one is (imo, of course) no lucky solution.

@openstreetmap-trac
Copy link
Author

Author: malenki
[Added to the original trac issue at 5.19pm, Monday, 15th November 2010]

I forgot some words above:

[...] am I evil enough to dream of what people would/could [...]

@openstreetmap-trac
Copy link
Author

Author: TomH
[Added to the original trac issue at 9.47pm, Monday, 15th November 2010]

I think the point here is that if somebody has gone to the trouble of either hacking into your email or somehow tapping your network traffic and extracting your email from it then they will have much more interesting things to look for in it than an OSM account confirmation email...

None the less I have made changes to block this by ensuring that new users are not automatically logged in unless they are using the same web browser used to create the account.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant