Somehow the my peercoin address on peer4commit changed to:
I have no idea where that address came from.
my btc address changed to :
I have no idea what that address is.
Do you have logs or something like that to check this out?
Looks like a hack unless you own 6 accounts at tip4commit.com.
I have stopped BitcoinTipper.work until we investigate the issue. Thanks for reporting!
I have also disabled the worker and I'm trying to figure out how it happened.
Ok I think I fixed the problem.
Github has 2 email data: the verified email list and the "public email", which is basically a text field where you can put anything.
The omniauth-github gem gave us the last one. So anyone could put the email of someone else in the public email, and login as him.
I'm not sure, but it may happen only when you don't have any verified email.
So I changed omniauth-github to make it send the whole list of (verified) emails. Now the user lookup is made from these emails.
The changes are there:
I cleared all the peercoin addresses after I deployed the patch. So all users will have to set it again.
Thank you for the fix!
Unfortunately it doesn't solve the problem. It's still possible to sign in without any verified email address. I am turning off GitHub authorization until we solve the issue.
When I tried GitHub didn't include my non verified email in the list. It was a new account, so it may be different.
I cleared all user addresses again.