I’m sure this question might have come up before, but I couldn’t find it. Using a chatmail account, is it possible to change the password? For example, if someone finds out the password to my account, how can I change it? Even worse, what if a scammer logs in first and changes the password themselves? Is there anything at all on this topic?
2 Likes
Here it is:
Not unless you are also the administrator of the server.
They can’t change the password. Nobody can change the password except the chatmail provider. So if a scammer gains access to your account, they can’t lock you out, but I guess they could perform a denial of service attack by deleting your messages or do a message replay attack.
If you don’t use Delta Chat for a few months, then your account can expire and a scammer could in theory steal your address, but I doubt they could do anything malicious with that (like steal your identity) unless they also have your encryption keys and your contacts.
I think addresses are in principle non-reusable; the server keeps a list of expired accounts and will not allow an account to be created twice. I could be wrong.
However, the problem remains and it’s a serious vulnerability. We’re glad there’s no central server — independence and freedom are good — but Delta Chat supports synchronization between devices, and there’s no control over those sessions. If someone with access to my device clones my account onto their device, I not only won’t know it was done, I also won’t be able to do anything about it. They will have my email address, password, keys, and contacts, and I won’t even be aware. For the record, I’m specifically talking about chatmail servers.
2 Likes
The only thing that saves me is that one of my main profiles has accumulated a lot of data — around 10 GB — and because of that, the app crashes when preparing the profile for transfer.
I’m curious—if we use our own email accounts, such as Gmail, to replace the default virtual email accounts, would that solve this problem? I personally haven’t experimented with this yet.
Well of course not, I’m not talking about classic email. Obviously, with regular email you can change your password through the corporation’s server control panel. But, as they say, that’s a double-edged sword.
Chatmail accounts are real email accounts. Chatmail servers have a few mildly unusual configuration settings: they are a bit faster than a regular server, they refuse to send or receive mails that aren’t encrypted in a specific standard format, and they delete mails after a month by default. But they are real email accounts and you can use them in some other desktop mail clients (all those that support the required encryption).
Wow, really?
Yeah, but many mail clients don’t support Autocrypt encryption (list, rather outdated), and some do but can be hard to configure.