[Klonan] Space Age Website Inaccuracies

eugenekay
Filter Inserter
Filter Inserter
Posts: 825
Joined: Tue May 15, 2018 2:14 am
Contact:

[Klonan] Space Age Website Inaccuracies

Post by eugenekay »

Hello,

I have noted some inaccuracies on the Factorio website. Some of this was previously reported via email, but was not replied-to so assumed to be lost in the noise. Reporting in the Bug Forum because it seemed like the proper place.

In FFF-433 the Link for "Space Exploration" leads to https://mods.factorio.com/mod/jetpack; the same as the previous link ("Jetpack"). The correct Hyperlink destination would presumably be: https://mods.factorio.com/mod/space-exploration.

On the Space Age Presskit the last paragraph lists the release date in future tense “will release on October 21st 2024”; not the expected “was released on October 21st, 2024”.

While the Terms of Service was updated by the addition of language “ Throughout this document, Factorio refers to the Factorio video game as well as the Factorio: Space Age expansion.”, this only raises issues further down which may be ambiguous or confusing:

“ You get access to the game by buying the membership. A single payment is all it takes to obtain full membership and unlock all features of the Factorio game.” - The Base Game and the Space Age expansion are purchased as separate transactions.
“ Possession of the membership entitles you to all the updates to the digital content associated with this membership for free in the future. Specifically this means that future updates to the core game are for free. However this doesn't include any more significant products that we might release, such as a Factorio DLCs, Factorio 2, etc.” - Space Age IS the theoretical DLC being referred-to here. The current version string (2.0.X) may be confused with “Factorio 2” - whereas an unannounced future sequel title could reasonably be “Oriotcaf”
eugenekay
Filter Inserter
Filter Inserter
Posts: 825
Joined: Tue May 15, 2018 2:14 am
Contact:

Re: Space Age Website Inaccuracies

Post by eugenekay »

While reading the very-excellent and well-annotated Privacy Policy, I found a reference for the Forums: "The Official Factorio forum. It only collects minimal data needed to serve the forum. It has its own privacy policy here, Which only applies if you register a Forum account.". This document does not appear to have been written by the same folks who did the top-level Privacy Policy.... in fact it appears to be almost-exact copy of the phpBB Privacy Policy. From the perspective of GDPR compliance, this supplementary document has some issues:
- "Your information for your account at “Factorio Forums” is protected by data-protection laws applicable in the country that hosts us." What Country/Countries is this referencing?
- The usage of "phpBB software" is listed as encompassing "phpBB Limited", "phpBB Teams", and other related terms. This does not clarify whether the Forums.factorio.com server is owned/operated by Wube "using the phpBB software", or if the Forum is a licensed service operated by phpBB Limited directly
- The Forum Policy only states the circumstances under which data is collected. It does not state, although it is obvious and necessary to operate a Forum, that submitted data will be publicly viewable on the internet by other (anonymous) users of the Factorio Forums.
- "We may also create cookies external to the phpBB software whilst browsing “Factorio Forums”, though these are outside the scope of this document which is intended to only cover the pages created by the phpBB software." - Any cookies external to the phpBB software would presumably be covered by the top-level Privacy Policy; so why is this mentioned here?
- No information is given on how to remove personal data. The top-level Privacy Policy contains instructions for email support, however no hyperlink is provided on the Forum Privacy Policy to discover this fact.


The top-level Privacy Policy mentions "Monglab.com, Linode for the purposes of running our products and related databases – for example, if you set up a forum account, your data will be stored and maintained by Linode as our third party provider." The IP address for the Forum actually resolves to "Akamai Technologies, Inc" at 172.104.141.117, who Purchased Linode in February 2022. It is not clear to me if this IP address is used by a Linode server directly, or if this is an Akamai CDN wrapped-around Linode? I would like to call attention to the fact that I have purchased "monglab.com". So you probably should not list it in your Privacy Policy. This domain was not previously Registered, and referencing un-used public Domains is not a great Security idea. Please clarify if this is a typo of "Mongo Labs", or some other provider? Please contact me via Forum PM if you would like to arrange for (gratis) transfer of this Domain to its rightful owner, since I have no interest in it beyond illustrating the risks here.

If it is the case that these Forums are actually "run by" phpBB on Servers outside of Wube's direct control, does this present any issue with the top-level Policy statement: "We do not sell your personal data or disclose it in any manner to unauthorised third parties." If yes, then how is phpBB not listed as a "Data Processor" on the top-level Policy?

The top-level Privacy Policy does not (appear to?) contain specific provisions for usage of data submitted to the Galaxy of Fame. This data (including the Factorio Username) is visible to any user of the Factorio website, eg: User notnotmelon. Additionally, the source code for this page includes references to undisclosed third-party jsDelivr. Other javaScript assets are stored/loaded from cdn.factorio.com - so it is not clear why a third-party CDN is required for this page only? Also-also, it appears that Cloudflare for htmx.js - on every page - necessitating a connection to another third-party.

Thank you for reading. I realize that this is extremely narrow and unlikely to cause issues..... but Compliance and ensuring things are done Correctly is a hobby of mine. :-)
eugenekay
Filter Inserter
Filter Inserter
Posts: 825
Joined: Tue May 15, 2018 2:14 am
Contact:

Re: [Klonan] Space Age Website Inaccuracies

Post by eugenekay »

Hello,

Since this Forum Topic was raised on November 7th, the Privacy Policy has been changed - which is great! I have noticed that "MongoDB Atlas" has been added to the list of external processors (replacing monglab.com), as well as adding Heroku + Redis, jsDelivr, Cloudflare, and CDN77.

However, the Updated Date at the bottom of the Document was not changed:
REVIEW OF THIS POLICY
We reserve the right to change or amend this policy in the future. Any future changes or amendments will be posted on this page and, if necessary, communicated to you by e-mail. Please check back regularly to see any updates or changes to our privacy policy.

This policy was last updated on the 9th of October, 2024.
Nor was any update email received, as stated. :-)
eugenekay
Filter Inserter
Filter Inserter
Posts: 825
Joined: Tue May 15, 2018 2:14 am
Contact:

Re: [Klonan] Space Age Website Inaccuracies

Post by eugenekay »

Hello,

While re-reading the Privacy Policy (again), I noticed references to “Wikimedia” as a Data Processor:
Wikimedia for our Official Factorio wiki, where you can find useful info and gameplay tips. Wikimedia does not collect much of your personal data, but your IP address will be recorded if you request an account. It has its own privacy policy here, which only applies if you register a Wiki account.
To the best of my knowledge, the Wikimedia Foundation does not and has never hosted Wiki websites outside of their owned domains (eg, Wikipedia, Wiktionary, Wikibooks….). They do provide the MediaWiki software on an open source basis for others to run their own websites, but this SHOULD NOT result in Wikimedia themselves being a Data Processor? There are external Hosting companies which offer MediaWiki services (such as Fandom, formerly known as Wikia); however it does not appear that the Factorio Wiki uses any such service. If the Wiki is entirely self-hosted by Wube (using servers on Linode or Heroku) then why is Wikimedia listed at all?
Last edited by eugenekay on Tue Nov 26, 2024 2:32 am, edited 1 time in total.
eugenekay
Filter Inserter
Filter Inserter
Posts: 825
Joined: Tue May 15, 2018 2:14 am
Contact:

Re: [Klonan] Space Age Website Inaccuracies

Post by eugenekay »

(Last thing, I promise!)

The Company Details in the various Privacy Policies show different addresses for Wube Software. In the official Privacy Policy:
Our complete company details are:
WUBE Software Ltd (Company reg. no: 9201188)
Registered Seat: 41 Devonshire Street, Ground Floor, London, W1G 7AJ
(Note: The standard for UK company Numbers is to use the full 8 digits, including any leading 0, or 2-Character prefix + 6 digits as applicable.)


Whereas the Factorio Wiki Privacy Policy (last updated 21 November 2018, at 15:40) states:
Personal Data controller in relation to this Wiki page is WUBE Software Ltd., company number 09201188, with registered office address: 3 Gower Street, London, United Kingdom, WC1 6HA
As mentioned previously, the Forum Privacy Policy does not clarify if it is hosted by Wube directly, through phpBB, or another third-party hosting organization, nor does it contain a hyperlink to the top-level Privacy Policy.

According to the public filing history at UK’ Company House Website this address was changed on 09 Apr 2021.
User avatar
BraveCaperCat
Filter Inserter
Filter Inserter
Posts: 460
Joined: Mon Jan 15, 2024 10:10 pm
Contact:

Re: [Klonan] Space Age Website Inaccuracies

Post by BraveCaperCat »

eugenekay wrote: Mon Nov 25, 2024 10:34 pm (Last thing, I promise!)

The Company Details in the various Privacy Policies show different addresses for Wube Software. In the official Privacy Policy:
Our complete company details are:
WUBE Software Ltd (Company reg. no: 9201188)
Registered Seat: 41 Devonshire Street, Ground Floor, London, W1G 7AJ
(Note: The standard for UK company Numbers is to use the full 8 digits, including any leading 0, or 2-Character prefix + 6 digits as applicable.)


Whereas the Factorio Wiki Privacy Policy (last updated 21 November 2018, at 15:40) states:
Personal Data controller in relation to this Wiki page is WUBE Software Ltd., company number 09201188, with registered office address: 3 Gower Street, London, United Kingdom, WC1 6HA
As mentioned previously, the Forum Privacy Policy does not clarify if it is hosted by Wube directly, through phpBB, or another third-party hosting organization, nor does it contain a hyperlink to the top-level Privacy Policy.

According to the public filing history at UK’ Company House Website this address was changed on 09 Apr 2021.
As seen on the about us page, wube isn't in london... It's in czech republic.
Note that I'm not a legal or business expert, or know much about any of that...
Creator of multiple mods, including Quality Assurance - My most popular one.
Go check them out with the first and second links!
I'll probably be wanting or giving help with modding most of the time I spend here on the forum.
eugenekay
Filter Inserter
Filter Inserter
Posts: 825
Joined: Tue May 15, 2018 2:14 am
Contact:

Re: [Klonan] Space Age Website Inaccuracies

Post by eugenekay »

Nope! The Privacy Policy clearly states that the “Czech branch” is not the same entity as the UK corporation:
WUBE SOFTWARE Ltd. odštěpný závod, registered with the Company register of the Czech Republic under no. 03594009 – our Czech branch.
User avatar
IsaacOscar
Filter Inserter
Filter Inserter
Posts: 843
Joined: Sat Nov 09, 2024 2:36 pm
Contact:

Re: [Klonan] Space Age Website Inaccuracies

Post by IsaacOscar »

A couple of minor issues I've found, when I'm logged in (I have both the base game and space age purchased) it gives me an option to buy space age:
Screenshot 2024-11-26 094426.png
Screenshot 2024-11-26 094426.png (1.37 MiB) Viewed 2591 times
But only when I click the "Game" tab, the option isn't shown in the drop downs for "Game" or "Space Age", nor on the page when you click "Space Age".
I would expect either both buy buttons to be hidden (or preferably), both to be shown.

Whereas when I log out:
Screenshot 2024-11-26 094440.png
Screenshot 2024-11-26 094440.png (1.27 MiB) Viewed 2591 times
I get a button to buy the base game and space age, and the buttons show in both the "game" and "Space age" drop downs.
However, there is still no buy button when I click the "space age button":
Screenshot 2024-11-26 095339.png
Screenshot 2024-11-26 095339.png (1.66 MiB) Viewed 2591 times
Also the rocket is the old model, not the new 2.0/Space Age one:
Screenshot 2024-11-26 094451.png
Screenshot 2024-11-26 094451.png (144.12 KiB) Viewed 2591 times
It should look like this:
Screenshot 2024-11-26 095856.png
Screenshot 2024-11-26 095856.png (643.26 KiB) Viewed 2591 times
User avatar
BraveCaperCat
Filter Inserter
Filter Inserter
Posts: 460
Joined: Mon Jan 15, 2024 10:10 pm
Contact:

Re: [Klonan] Space Age Website Inaccuracies

Post by BraveCaperCat »

Another website problem: When logging into the mod portal through steam, it brings me back to the main website. And when doing this on a mobile device with the steam mobile app installed, it tries to open the steam app to login - which doesn't work at all. That last part seems more like a steam issue than a Factorio issue, but I mentioned it anyway, since it was related. Also, the mod portal and main website are signing out so much more than the forums - I had to go offline on the forums for months before it signed me out, but for the mod portal and main website (on a per-device basis) it only takes a few hours to automatically sign out. Note that I only login to the mod portal and main website through steam.
Creator of multiple mods, including Quality Assurance - My most popular one.
Go check them out with the first and second links!
I'll probably be wanting or giving help with modding most of the time I spend here on the forum.
eugenekay
Filter Inserter
Filter Inserter
Posts: 825
Joined: Tue May 15, 2018 2:14 am
Contact:

Re: [Klonan] Space Age Website Inaccuracies

Post by eugenekay »

This Bug Report was raised for Factual inaccuracies in the website copy, not for graphical or Cookie persistence issues. Please consider a New Topic. :-)
eugenekay
Filter Inserter
Filter Inserter
Posts: 825
Joined: Tue May 15, 2018 2:14 am
Contact:

Re: [Klonan] Space Age Website Inaccuracies

Post by eugenekay »

Hello,

Sorry to post again, but I have discovered another issue within the Privacy Policy / Website Cookies:
USE OF COOKIES AND JAVASCRIPT
To better adapt our services to your requirements our website uses cookies – small files stored in your device that contain data related to your activity on our website. We only use cookies with registered users. You can always change your cookies settings in your browser or refuse accepting cookies altogether. The change in settings can, however, adversely affect the functioning of some parts of the website for you.
From an InPrivate / Incognito window (not Logged-in):
Screenshot 2024-12-13 130336.png
Screenshot 2024-12-13 130336.png (364.54 KiB) Viewed 2259 times
There is a cookie named "session" which is sent to the User's browser on first-visit to the Factorio domain. This is stored on the user's computer for the length of the Browser Session, and is submitted to all *.factorio.com servers (including the Forums) on each request. This session cookie is used when Signed-in (with "Remember Me" unchecked, and does not change. This seems to be in contravention of the Privacy Policy, which states that only "registered users" receive Cookies.

From a Normal window (Logged-In):
Screenshot 2024-12-13 130934.png
Screenshot 2024-12-13 130934.png (69.2 KiB) Viewed 2259 times
If "Remember Me" is checked, an additional cookie "wube_remember_token" is also placed, which does have the Expires field set, however it LACKS the "Secure" field. This means that this Cookie may be sent over HTTP requests, which represents a potential Security issue. This is somewhat mitigated by the fact that the Factorio.com presents a "strict-transport-security" header (aka HSTS header), so a compliant browser should stick to HTTPS requests. The forums do NOT supply this "strict-transport-security" header, so it is possible (with a HTTP-downgrade aka Man-in-the-Middle attack) to intercept requests here and obtain this cookie!

If logged-in to the Forums Website then additional "phpbb3_" cookies are placed. However, these are NOT Subdomain Restricted and are sent on every request to WWW.factorio.com, Mods.factorio.com, etc. This increases the risks of a XSS vulnerability on those websites, since it is additional user tokens which may be collected.

The Wiki appears to set a "mediawiki_wiki_session" cookie, even when Logged-Out; it does Contain the "Secure" flag. However, the Wiki subdomain does NOT supply the "strict-transport-security" header, similar to the Forums. The Terms of Service was last updated in 2019 (the text says 2018?), and contains similar language to the original Privacy Policy (eg, "Factorio 2" references). It also claims "In case of legal dispute, the governing laws of the Czech Republic will apply.", which.... is counter to the assertion that Wube Software is a UK Company? :-D

Thank you for reading.
User avatar
BraveCaperCat
Filter Inserter
Filter Inserter
Posts: 460
Joined: Mon Jan 15, 2024 10:10 pm
Contact:

Re: [Klonan] Space Age Website Inaccuracies

Post by BraveCaperCat »

eugenekay wrote: Tue Nov 26, 2024 2:11 am This Bug Report was raised for Factual inaccuracies in the website copy, not for graphical or Cookie persistence issues. Please consider a New Topic. :-)
You: *Posts about cookie issues*
eugenekay wrote: Fri Dec 13, 2024 6:25 pm Hello,

Sorry to post again, but I have discovered another issue within the Privacy Policy / Website Cookies:
USE OF COOKIES AND JAVASCRIPT
To better adapt our services to your requirements our website uses cookies – small files stored in your device that contain data related to your activity on our website. We only use cookies with registered users. You can always change your cookies settings in your browser or refuse accepting cookies altogether. The change in settings can, however, adversely affect the functioning of some parts of the website for you.
From an InPrivate / Incognito window (not Logged-in):
Screenshot 2024-12-13 130336.png
There is a cookie named "session" which is sent to the User's browser on first-visit to the Factorio domain. This is stored on the user's computer for the length of the Browser Session, and is submitted to all *.factorio.com servers (including the Forums) on each request. This session cookie is used when Signed-in (with "Remember Me" unchecked, and does not change. This seems to be in contravention of the Privacy Policy, which states that only "registered users" receive Cookies.

From a Normal window (Logged-In):
Screenshot 2024-12-13 130934.png
If "Remember Me" is checked, an additional cookie "wube_remember_token" is also placed, which does have the Expires field set, however it LACKS the "Secure" field. This means that this Cookie may be sent over HTTP requests, which represents a potential Security issue. This is somewhat mitigated by the fact that the Factorio.com presents a "strict-transport-security" header (aka HSTS header), so a compliant browser should stick to HTTPS requests. The forums do NOT supply this "strict-transport-security" header, so it is possible (with a HTTP-downgrade aka Man-in-the-Middle attack) to intercept requests here and obtain this cookie!

If logged-in to the Forums Website then additional "phpbb3_" cookies are placed. However, these are NOT Subdomain Restricted and are sent on every request to WWW.factorio.com, Mods.factorio.com, etc. This increases the risks of a XSS vulnerability on those websites, since it is additional user tokens which may be collected.

The Wiki appears to set a "mediawiki_wiki_session" cookie, even when Logged-Out; it does Contain the "Secure" flag. However, the Wiki subdomain does NOT supply the "strict-transport-security" header, similar to the Forums. The Terms of Service was last updated in 2019 (the text says 2018?), and contains similar language to the original Privacy Policy (eg, "Factorio 2" references). It also claims "In case of legal dispute, the governing laws of the Czech Republic will apply.", which.... is counter to the assertion that Wube Software is a UK Company? :-D

Thank you for reading.
Me: *Makes a post about it*
BraveCaperCat wrote: Fri Dec 13, 2024 8:42 pm
eugenekay wrote: Tue Nov 26, 2024 2:11 am This Bug Report was raised for Factual inaccuracies in the website copy, not for graphical or Cookie persistence issues. Please consider a New Topic. :-)
You: *Posts about cookie issues*
eugenekay wrote: Fri Dec 13, 2024 6:25 pm Hello,

Sorry to post again, but I have discovered another issue within the Privacy Policy / Website Cookies:
USE OF COOKIES AND JAVASCRIPT
To better adapt our services to your requirements our website uses cookies – small files stored in your device that contain data related to your activity on our website. We only use cookies with registered users. You can always change your cookies settings in your browser or refuse accepting cookies altogether. The change in settings can, however, adversely affect the functioning of some parts of the website for you.
From an InPrivate / Incognito window (not Logged-in):
Screenshot 2024-12-13 130336.png
There is a cookie named "session" which is sent to the User's browser on first-visit to the Factorio domain. This is stored on the user's computer for the length of the Browser Session, and is submitted to all *.factorio.com servers (including the Forums) on each request. This session cookie is used when Signed-in (with "Remember Me" unchecked, and does not change. This seems to be in contravention of the Privacy Policy, which states that only "registered users" receive Cookies.

From a Normal window (Logged-In):
Screenshot 2024-12-13 130934.png
If "Remember Me" is checked, an additional cookie "wube_remember_token" is also placed, which does have the Expires field set, however it LACKS the "Secure" field. This means that this Cookie may be sent over HTTP requests, which represents a potential Security issue. This is somewhat mitigated by the fact that the Factorio.com presents a "strict-transport-security" header (aka HSTS header), so a compliant browser should stick to HTTPS requests. The forums do NOT supply this "strict-transport-security" header, so it is possible (with a HTTP-downgrade aka Man-in-the-Middle attack) to intercept requests here and obtain this cookie!

If logged-in to the Forums Website then additional "phpbb3_" cookies are placed. However, these are NOT Subdomain Restricted and are sent on every request to WWW.factorio.com, Mods.factorio.com, etc. This increases the risks of a XSS vulnerability on those websites, since it is additional user tokens which may be collected.

The Wiki appears to set a "mediawiki_wiki_session" cookie, even when Logged-Out; it does Contain the "Secure" flag. However, the Wiki subdomain does NOT supply the "strict-transport-security" header, similar to the Forums. The Terms of Service was last updated in 2019 (the text says 2018?), and contains similar language to the original Privacy Policy (eg, "Factorio 2" references). It also claims "In case of legal dispute, the governing laws of the Czech Republic will apply.", which.... is counter to the assertion that Wube Software is a UK Company? :-D

Thank you for reading.
Me: *Makes a post about it*

You: *Posts about why what you posted isn't a cookie persistence issue, and you said that this isn't a topic for cookie persistence issue*
FutureYou wrote: What I posted wasn't about cookie persistence issues, it's about the existence of cookies at all when logged out. This is contrary to the assumption that the privacy policy doesn't permit cookies on any factorio.com sub domains while logged out.
You: *Posts about why what you posted isn't a cookie persistence issue, and you said that this isn't a topic for cookie persistence issue*
FutureYou wrote:
BraveCaperCat wrote: Fri Dec 13, 2024 8:42 pm
eugenekay wrote: Tue Nov 26, 2024 2:11 am This Bug Report was raised for Factual inaccuracies in the website copy, not for graphical or Cookie persistence issues. Please consider a New Topic. :-)
You: *Posts about cookie issues*
eugenekay wrote: Fri Dec 13, 2024 6:25 pm Hello,

Sorry to post again, but I have discovered another issue within the Privacy Policy / Website Cookies:
USE OF COOKIES AND JAVASCRIPT
To better adapt our services to your requirements our website uses cookies – small files stored in your device that contain data related to your activity on our website. We only use cookies with registered users. You can always change your cookies settings in your browser or refuse accepting cookies altogether. The change in settings can, however, adversely affect the functioning of some parts of the website for you.
From an InPrivate / Incognito window (not Logged-in):
Screenshot 2024-12-13 130336.png
There is a cookie named "session" which is sent to the User's browser on first-visit to the Factorio domain. This is stored on the user's computer for the length of the Browser Session, and is submitted to all *.factorio.com servers (including the Forums) on each request. This session cookie is used when Signed-in (with "Remember Me" unchecked, and does not change. This seems to be in contravention of the Privacy Policy, which states that only "registered users" receive Cookies.

From a Normal window (Logged-In):
Screenshot 2024-12-13 130934.png
If "Remember Me" is checked, an additional cookie "wube_remember_token" is also placed, which does have the Expires field set, however it LACKS the "Secure" field. This means that this Cookie may be sent over HTTP requests, which represents a potential Security issue. This is somewhat mitigated by the fact that the Factorio.com presents a "strict-transport-security" header (aka HSTS header), so a compliant browser should stick to HTTPS requests. The forums do NOT supply this "strict-transport-security" header, so it is possible (with a HTTP-downgrade aka Man-in-the-Middle attack) to intercept requests here and obtain this cookie!

If logged-in to the Forums Website then additional "phpbb3_" cookies are placed. However, these are NOT Subdomain Restricted and are sent on every request to WWW.factorio.com, Mods.factorio.com, etc. This increases the risks of a XSS vulnerability on those websites, since it is additional user tokens which may be collected.

The Wiki appears to set a "mediawiki_wiki_session" cookie, even when Logged-Out; it does Contain the "Secure" flag. However, the Wiki subdomain does NOT supply the "strict-transport-security" header, similar to the Forums. The Terms of Service was last updated in 2019 (the text says 2018?), and contains similar language to the original Privacy Policy (eg, "Factorio 2" references). It also claims "In case of legal dispute, the governing laws of the Czech Republic will apply.", which.... is counter to the assertion that Wube Software is a UK Company? :-D

Thank you for reading.
Me: *Makes a post about it*

You: *Posts about why what you posted isn't a cookie persistence issue, and you said that this isn't a topic for cookie persistence issue*
FutureYou wrote: What I posted wasn't about cookie persistence issues, it's about the existence of cookies at all when logged out. This is contrary to the assumption that the privacy policy doesn't permit cookies on any factorio.com sub domains while logged out.
What I posted wasn't about cookie persistence issues, it's about the existence of cookies at all when logged out. This is contrary to the assumption that the privacy policy doesn't permit cookies on any factorio.com sub domains while logged out.
Last edited by BraveCaperCat on Fri Dec 13, 2024 8:44 pm, edited 1 time in total.
Creator of multiple mods, including Quality Assurance - My most popular one.
Go check them out with the first and second links!
I'll probably be wanting or giving help with modding most of the time I spend here on the forum.
eugenekay
Filter Inserter
Filter Inserter
Posts: 825
Joined: Tue May 15, 2018 2:14 am
Contact:

Re: [Klonan] Space Age Website Inaccuracies

Post by eugenekay »

Do you usually go on the internet to pick fights?

:-)
User avatar
BraveCaperCat
Filter Inserter
Filter Inserter
Posts: 460
Joined: Mon Jan 15, 2024 10:10 pm
Contact:

Re: [Klonan] Space Age Website Inaccuracies

Post by BraveCaperCat »

eugenekay wrote: Fri Dec 13, 2024 8:44 pm Do you usually go on the internet to pick fights?

:-)
No, it was a joke! You didn't wait until I edited it...

I did however read your previous post in a serious manner and understand that the issue goes beyond PP and ToS issues. (at least, I think so... not sure.)
Last edited by BraveCaperCat on Fri Dec 13, 2024 8:53 pm, edited 1 time in total.
Creator of multiple mods, including Quality Assurance - My most popular one.
Go check them out with the first and second links!
I'll probably be wanting or giving help with modding most of the time I spend here on the forum.
eugenekay
Filter Inserter
Filter Inserter
Posts: 825
Joined: Tue May 15, 2018 2:14 am
Contact:

Re: [Klonan] Space Age Website Inaccuracies

Post by eugenekay »

It’s still not funny?

This is a serious Report covering, among other things, a Potential Security Issue stemming from insecure usage of Cookies containing a Secret that allows user Impersonation and account takeover. It has been reported to support@factorio.com in the absence of a responsible disclosure process. This was discovered from a close reading of the Privacy Policy, which is a legal document outlining your rights.
User avatar
BraveCaperCat
Filter Inserter
Filter Inserter
Posts: 460
Joined: Mon Jan 15, 2024 10:10 pm
Contact:

Re: [Klonan] Space Age Website Inaccuracies

Post by BraveCaperCat »

eugenekay wrote: Fri Dec 13, 2024 8:50 pm It’s still not funny?

This is a serious Report covering, among other things, a Potential Security Issue stemming from insecure usage of Cookies containing a Secret that allows user Impersonation and account takeover. It has been reported to support@factorio.com in the absence of a responsible disclosure process. This was discovered from a close reading of the Privacy Policy, which is a legal document outlining your rights.
Well then, other than the serious report bit - I guess my joke wasn't a very good joke.
Creator of multiple mods, including Quality Assurance - My most popular one.
Go check them out with the first and second links!
I'll probably be wanting or giving help with modding most of the time I spend here on the forum.
eugenekay
Filter Inserter
Filter Inserter
Posts: 825
Joined: Tue May 15, 2018 2:14 am
Contact:

Re: [Klonan] Space Age Website Inaccuracies

Post by eugenekay »

eugenekay wrote: Fri Dec 13, 2024 6:25 pm Hello,

Sorry to post again, but I have discovered another issue within the Privacy Policy / Website Cookies:
USE OF COOKIES AND JAVASCRIPT
To better adapt our services to your requirements our website uses cookies – small files stored in your device that contain data related to your activity on our website. We only use cookies with registered users. You can always change your cookies settings in your browser or refuse accepting cookies altogether. The change in settings can, however, adversely affect the functioning of some parts of the website for you.
From an InPrivate / Incognito window (not Logged-in):
Screenshot 2024-12-13 130336.png
There is a cookie named "session" which is sent to the User's browser on first-visit to the Factorio domain. This is stored on the user's computer for the length of the Browser Session, and is submitted to all *.factorio.com servers (including the Forums) on each request. This session cookie is used when Signed-in (with "Remember Me" unchecked, and does not change. This seems to be in contravention of the Privacy Policy, which states that only "registered users" receive Cookies.

From a Normal window (Logged-In):
Screenshot 2024-12-13 130934.png
If "Remember Me" is checked, an additional cookie "wube_remember_token" is also placed, which does have the Expires field set, however it LACKS the "Secure" field. This means that this Cookie may be sent over HTTP requests, which represents a potential Security issue. This is somewhat mitigated by the fact that the Factorio.com presents a "strict-transport-security" header (aka HSTS header), so a compliant browser should stick to HTTPS requests. The forums do NOT supply this "strict-transport-security" header, so it is possible (with a HTTP-downgrade aka Man-in-the-Middle attack) to intercept requests here and obtain this cookie!

If logged-in to the Forums Website then additional "phpbb3_" cookies are placed. However, these are NOT Subdomain Restricted and are sent on every request to WWW.factorio.com, Mods.factorio.com, etc. This increases the risks of a XSS vulnerability on those websites, since it is additional user tokens which may be collected.

The Wiki appears to set a "mediawiki_wiki_session" cookie, even when Logged-Out; it does Contain the "Secure" flag. However, the Wiki subdomain does NOT supply the "strict-transport-security" header, similar to the Forums. The Terms of Service was last updated in 2019 (the text says 2018?), and contains similar language to the original Privacy Policy (eg, "Factorio 2" references). It also claims "In case of legal dispute, the governing laws of the Czech Republic will apply.", which.... is counter to the assertion that Wube Software is a UK Company? :-D

Thank you for reading.
Hello,

It has been almost 6 months since this Bug was originally opened / placed into Assigned. There is still a disagreement between the various "Last Updated" dates in the Privacy Policy, and when their contents were actually changed. No changes to Cookie Policy or Security have been observed. There is still some confusion as to Wube Software's legal status as a UK or Czech company.

Thank you for reading.

-Eugene
User avatar
Klonan
Factorio Staff
Factorio Staff
Posts: 5423
Joined: Sun Jan 11, 2015 2:09 pm
Contact:

Re: [Klonan] Space Age Website Inaccuracies

Post by Klonan »

eugenekay wrote: Mon Nov 25, 2024 10:34 pm (Last thing, I promise!)

The Company Details in the various Privacy Policies show different addresses for Wube Software. In the official Privacy Policy
Fixed
eugenekay wrote: Mon Nov 25, 2024 9:41 pm If the Wiki is entirely self-hosted by Wube (using servers on Linode or Heroku) then why is Wikimedia listed at all?
Fixed (Changed to just say Factorio wiki)
eugenekay wrote: Mon Nov 25, 2024 9:00 pm However, the Updated Date at the bottom of the Document was not changed
Fixed

eugenekay wrote: Mon Nov 25, 2024 9:00 pm Nor was any update email received, as stated. :-)
I don't think small corrections and typos count as changes large enough to require an email notification (which, is only if necessary).
(Any future changes or amendments will be posted on this page and, if necessary, communicated to you by e-mail.)
eugenekay wrote: Fri Nov 08, 2024 12:03 am On the Space Age Presskit the last paragraph lists the release date in future tense “will release on October 21st 2024”; not the expected “was released on October 21st, 2024”.
Fixed
Post Reply

Return to “Assigned”