Security problem on ZeroMail (and all zeromail clones) need to be allowed nickname@cryptoid.bit: (the auth address), malicious user can read, delete, send messages have full access to your mailbox!

[mx5kevin]

Cloned user have full access to the original user mailbox. If have a originaluser@cryptoid.bit and someone else are registering another originaluser@cryptoid.bit have full access to the original user mailbox! On any name service if the user can change in the .json file his name, or the name service can manipulated like ZeroID anyone's emails can be easily accessed.

If multiple user are registered in cryptoid.bit with the same nickname.

-1. Not possible to filter nickname@cryptoid.bit: (the auth address) Like this: user@idprovider.bit:De86hbTrEftznbTRFVcDemj7Zhgvfdsx
-2. The system can not detected before the secondary registration one user with the same nickname already registered.
-3. On nickname@cryptoid.bit the system is not sure from who to send the letter to. And send both the users with the same nickname. Both user are accessing the same mailbox and can send, delete, read messages have full access to the original user mailbox.
-4. A hacker can manipulate the system so that someone else to receive the letter.

Affected mail services ZeroMail, ZeroMailX, ZeroVerse services and any ZeroMail Clones. Need to use the public key hash and nickname combination to identify the user. Like this: user@idprovider.bit:De86hbTrEftznbTRFVcDemj7Zhgvfdsx

Centralized ID providers like ZeroID they are completely untrusted. It is very easy to hack the system.

[slrslr]

On the bottom of this Zeronet based discussion thread, @caryoscelus suggests the claims are not true. It is not proven.

[mx5kevin]

On the bottom of this Zeronet based discussion thread, @caryoscelus suggests the claims are not true. It is not proven.

A developer who can analyze and fix the problem is needed here. There is enough data for reproduction. The user must be identified based on his bitcoin public key as it cannot be faked. ZeroID and similar ID systems what add extra data to the users.json file like the username can be manipulated. The source of the problem is the easy to hacked nickname based identification. Anyone who does not see the essence of the problem are not suitable to fix it. The linked page does not offer a solution to the problem, but it can highlight other problems.

[mx5kevin]

The user's public and private key is generated on the device he uses in the users.json file which are a high secured bitcoin address. ZeroID and similar services gives extra data like the username to this file, and these data can all be manipulated. Public key-based identification is needed in this and similar situations which is already available by default and the most important part of system security.