- sending arbitrary authenticated requests after copying the authentiication data
signed(LoginKey), - pretending to know the plain password by coping the unhashed
PasswordVerificationKey, - verify pending user registrations that are sent from the attacker,
- Using 2. the server can add a new device to an existing user and send signed messages.