Sorry for resurrecting this old thread, but the procedure is not yet clear to me.
Florian Grothe wrote:The invitations are encrypted with the 256Bit public key of the receiver. Therefore you theoretically could give the invitation to anyone. But the only one who can make use of it, is the intended receiver that owns the relating private key.
How does this work in the case of the "Invite all my devices" functionality? I just tried it, and could access the invitation after logging into Teamdrive on a new installation (as expected). At the time the invitation was sent, there was no public key for that device in existence.
So, how is it technically prevented that these invitations are hijacked by someone with access to the TD server?