miguelfreitas/twister-core

Account impersonation

milouse opened this issue · 3 comments

milouse commented

I think I've done some big mistake, or discover one sever flow. As I really do not understand how does the blockchain work, I put my situation here for expert to debug it.

I used for a long time the milouse user and kept very seriously my secret key. Because of several PC change, I did not run twister for a long time. Today I wish open it again and reinstall it on my brand new PC.

  1. I started the twister daemon
  2. Immediatly after, I went on the html interface. It says I've ~1000 days to recover.
  3. As it takes time, I want to reconnect quickly my old user. On the twister login page, I enter my secret key and my login name. It says « User must exist » or something like that.
  4. I thought it has something to do with « local user » or something, so I tried to create a new user with the form just above. It says to me « milouse » is available.
  5. So I created a new user, what give me a new secret key. What?
  6. When the blockchain finish to login, I found my « milouse » profile with my configured avatar, wepage url, description and so on... but with the new secret key.

If I try to « switch user » using my old key, I got no error but keep stuck with the new secret key.

When I look at my profile, it says I've 162 twists, what seems to be ok regarding my old habits. But I cannot find a way to see them. My profile window only show one old message and nothing more. It seems I've lost all my contacts too.

So. Do I reach to overwrite my account ? And, more important, does it means anyone can get the control of someone else account, as soon as s·he tries to create his/her account before the blockchain download is complete?

I'm very confuse so any help / explanation will be thanked!

milouse commented

... aaand it seems I cannot post anything anymore. I always get a javascript alert saying « Bad ajax signature »

miguelfreitas commented

You have just created an inconsistency between your local wallet and the blockchain. This is a local inconsistency only, the rest of the network doesn't know about it.

No one else would accept your new public key into the blockchain because there is already another user there with the same name. That also explains why you cannot post, since no one (not even your local daemon) will accept the post signed by the wrong key. You will not be able to see your private messages either.

The best way to fix is to erase your wallet containing the wrong key. There is no impersonation here.

milouse commented

Ok, I'm reassured :)

I'll delete all local content and start again more smoothly. Thank you.