@ -71,12 +71,12 @@ replacing these keys in the homeserver database.
This does not mean:
- the attacker can "take over the account". It does not allow the attacker to
[login](https://spec.matrix.org/latest/client-server-api/#login) as they need to
know the password to the account. Likewise, an attacker cannot [logout all devices](https://spec.matrix.org/latest/client-server-api/#post_matrixclientv3logoutall)
nor can they [logout specific devices](https://spec.matrix.org/latest/client-server-api/#delete_matrixclientv3devicesdeviceid)
[login](https://spec.matrix.org/v1.10/client-server-api/#login) as they need to
know the password to the account. Likewise, an attacker cannot [logout all devices](https://spec.matrix.org/v1.10/client-server-api/#post_matrixclientv3logoutall)
nor can they [logout specific devices](https://spec.matrix.org/v1.10/client-server-api/#delete_matrixclientv3devicesdeviceid)
as these also go through UIA prompts.
- the device will appear as verified to other users. Other users need to verify the
public key [out-of-band](https://spec.matrix.org/latest/client-server-api/#short-authentication-string-sas-verification).
public key [out-of-band](https://spec.matrix.org/v1.10/client-server-api/#short-authentication-string-sas-verification).
As the true owner of the account is not performing this verification, if an attacker
physically met up with other users it would become obvious that this is not the true owner,
Kegan Dougal
4 weeks ago
committed by