[Klonan] Space Age Website Inaccuracies
[Klonan] Space Age Website Inaccuracies
Hello,
I have noted some inaccuracies on the Factorio website. Some of this was previously reported via email, but was not replied-to so assumed to be lost in the noise. Reporting in the Bug Forum because it seemed like the proper place.
In FFF-433 the Link for "Space Exploration" leads to https://mods.factorio.com/mod/jetpack; the same as the previous link ("Jetpack"). The correct Hyperlink destination would presumably be: https://mods.factorio.com/mod/space-exploration.
On the Space Age Presskit the last paragraph lists the release date in future tense “will release on October 21st 2024”; not the expected “was released on October 21st, 2024”.
While the Terms of Service was updated by the addition of language “ Throughout this document, Factorio refers to the Factorio video game as well as the Factorio: Space Age expansion.”, this only raises issues further down which may be ambiguous or confusing:
“ You get access to the game by buying the membership. A single payment is all it takes to obtain full membership and unlock all features of the Factorio game.” - The Base Game and the Space Age expansion are purchased as separate transactions.
“ Possession of the membership entitles you to all the updates to the digital content associated with this membership for free in the future. Specifically this means that future updates to the core game are for free. However this doesn't include any more significant products that we might release, such as a Factorio DLCs, Factorio 2, etc.” - Space Age IS the theoretical DLC being referred-to here. The current version string (2.0.X) may be confused with “Factorio 2” - whereas an unannounced future sequel title could reasonably be “Oriotcaf”
I have noted some inaccuracies on the Factorio website. Some of this was previously reported via email, but was not replied-to so assumed to be lost in the noise. Reporting in the Bug Forum because it seemed like the proper place.
In FFF-433 the Link for "Space Exploration" leads to https://mods.factorio.com/mod/jetpack; the same as the previous link ("Jetpack"). The correct Hyperlink destination would presumably be: https://mods.factorio.com/mod/space-exploration.
On the Space Age Presskit the last paragraph lists the release date in future tense “will release on October 21st 2024”; not the expected “was released on October 21st, 2024”.
While the Terms of Service was updated by the addition of language “ Throughout this document, Factorio refers to the Factorio video game as well as the Factorio: Space Age expansion.”, this only raises issues further down which may be ambiguous or confusing:
“ You get access to the game by buying the membership. A single payment is all it takes to obtain full membership and unlock all features of the Factorio game.” - The Base Game and the Space Age expansion are purchased as separate transactions.
“ Possession of the membership entitles you to all the updates to the digital content associated with this membership for free in the future. Specifically this means that future updates to the core game are for free. However this doesn't include any more significant products that we might release, such as a Factorio DLCs, Factorio 2, etc.” - Space Age IS the theoretical DLC being referred-to here. The current version string (2.0.X) may be confused with “Factorio 2” - whereas an unannounced future sequel title could reasonably be “Oriotcaf”
Re: Space Age Website Inaccuracies
While reading the very-excellent and well-annotated Privacy Policy, I found a reference for the Forums: "The Official Factorio forum. It only collects minimal data needed to serve the forum. It has its own privacy policy here, Which only applies if you register a Forum account.". This document does not appear to have been written by the same folks who did the top-level Privacy Policy.... in fact it appears to be almost-exact copy of the phpBB Privacy Policy. From the perspective of GDPR compliance, this supplementary document has some issues:
- "Your information for your account at “Factorio Forums” is protected by data-protection laws applicable in the country that hosts us." What Country/Countries is this referencing?
- The usage of "phpBB software" is listed as encompassing "phpBB Limited", "phpBB Teams", and other related terms. This does not clarify whether the Forums.factorio.com server is owned/operated by Wube "using the phpBB software", or if the Forum is a licensed service operated by phpBB Limited directly
- The Forum Policy only states the circumstances under which data is collected. It does not state, although it is obvious and necessary to operate a Forum, that submitted data will be publicly viewable on the internet by other (anonymous) users of the Factorio Forums.
- "We may also create cookies external to the phpBB software whilst browsing “Factorio Forums”, though these are outside the scope of this document which is intended to only cover the pages created by the phpBB software." - Any cookies external to the phpBB software would presumably be covered by the top-level Privacy Policy; so why is this mentioned here?
- No information is given on how to remove personal data. The top-level Privacy Policy contains instructions for email support, however no hyperlink is provided on the Forum Privacy Policy to discover this fact.
The top-level Privacy Policy mentions "Monglab.com, Linode for the purposes of running our products and related databases – for example, if you set up a forum account, your data will be stored and maintained by Linode as our third party provider." The IP address for the Forum actually resolves to "Akamai Technologies, Inc" at 172.104.141.117, who Purchased Linode in February 2022. It is not clear to me if this IP address is used by a Linode server directly, or if this is an Akamai CDN wrapped-around Linode? I would like to call attention to the fact that I have purchased "monglab.com". So you probably should not list it in your Privacy Policy. This domain was not previously Registered, and referencing un-used public Domains is not a great Security idea. Please clarify if this is a typo of "Mongo Labs", or some other provider? Please contact me via Forum PM if you would like to arrange for (gratis) transfer of this Domain to its rightful owner, since I have no interest in it beyond illustrating the risks here.
If it is the case that these Forums are actually "run by" phpBB on Servers outside of Wube's direct control, does this present any issue with the top-level Policy statement: "We do not sell your personal data or disclose it in any manner to unauthorised third parties." If yes, then how is phpBB not listed as a "Data Processor" on the top-level Policy?
The top-level Privacy Policy does not (appear to?) contain specific provisions for usage of data submitted to the Galaxy of Fame. This data (including the Factorio Username) is visible to any user of the Factorio website, eg: User notnotmelon. Additionally, the source code for this page includes references to undisclosed third-party jsDelivr. Other javaScript assets are stored/loaded from cdn.factorio.com - so it is not clear why a third-party CDN is required for this page only? Also-also, it appears that Cloudflare for htmx.js - on every page - necessitating a connection to another third-party.
Thank you for reading. I realize that this is extremely narrow and unlikely to cause issues..... but Compliance and ensuring things are done Correctly is a hobby of mine.
- "Your information for your account at “Factorio Forums” is protected by data-protection laws applicable in the country that hosts us." What Country/Countries is this referencing?
- The usage of "phpBB software" is listed as encompassing "phpBB Limited", "phpBB Teams", and other related terms. This does not clarify whether the Forums.factorio.com server is owned/operated by Wube "using the phpBB software", or if the Forum is a licensed service operated by phpBB Limited directly
- The Forum Policy only states the circumstances under which data is collected. It does not state, although it is obvious and necessary to operate a Forum, that submitted data will be publicly viewable on the internet by other (anonymous) users of the Factorio Forums.
- "We may also create cookies external to the phpBB software whilst browsing “Factorio Forums”, though these are outside the scope of this document which is intended to only cover the pages created by the phpBB software." - Any cookies external to the phpBB software would presumably be covered by the top-level Privacy Policy; so why is this mentioned here?
- No information is given on how to remove personal data. The top-level Privacy Policy contains instructions for email support, however no hyperlink is provided on the Forum Privacy Policy to discover this fact.
The top-level Privacy Policy mentions "Monglab.com, Linode for the purposes of running our products and related databases – for example, if you set up a forum account, your data will be stored and maintained by Linode as our third party provider." The IP address for the Forum actually resolves to "Akamai Technologies, Inc" at 172.104.141.117, who Purchased Linode in February 2022. It is not clear to me if this IP address is used by a Linode server directly, or if this is an Akamai CDN wrapped-around Linode? I would like to call attention to the fact that I have purchased "monglab.com". So you probably should not list it in your Privacy Policy. This domain was not previously Registered, and referencing un-used public Domains is not a great Security idea. Please clarify if this is a typo of "Mongo Labs", or some other provider? Please contact me via Forum PM if you would like to arrange for (gratis) transfer of this Domain to its rightful owner, since I have no interest in it beyond illustrating the risks here.
If it is the case that these Forums are actually "run by" phpBB on Servers outside of Wube's direct control, does this present any issue with the top-level Policy statement: "We do not sell your personal data or disclose it in any manner to unauthorised third parties." If yes, then how is phpBB not listed as a "Data Processor" on the top-level Policy?
The top-level Privacy Policy does not (appear to?) contain specific provisions for usage of data submitted to the Galaxy of Fame. This data (including the Factorio Username) is visible to any user of the Factorio website, eg: User notnotmelon. Additionally, the source code for this page includes references to undisclosed third-party jsDelivr. Other javaScript assets are stored/loaded from cdn.factorio.com - so it is not clear why a third-party CDN is required for this page only? Also-also, it appears that Cloudflare for htmx.js - on every page - necessitating a connection to another third-party.
Thank you for reading. I realize that this is extremely narrow and unlikely to cause issues..... but Compliance and ensuring things are done Correctly is a hobby of mine.

Re: [Klonan] Space Age Website Inaccuracies
Hello,
Since this Forum Topic was raised on November 7th, the Privacy Policy has been changed - which is great! I have noticed that "MongoDB Atlas" has been added to the list of external processors (replacing monglab.com), as well as adding Heroku + Redis, jsDelivr, Cloudflare, and CDN77.
However, the Updated Date at the bottom of the Document was not changed:
Since this Forum Topic was raised on November 7th, the Privacy Policy has been changed - which is great! I have noticed that "MongoDB Atlas" has been added to the list of external processors (replacing monglab.com), as well as adding Heroku + Redis, jsDelivr, Cloudflare, and CDN77.
However, the Updated Date at the bottom of the Document was not changed:
Nor was any update email received, as stated.REVIEW OF THIS POLICY
We reserve the right to change or amend this policy in the future. Any future changes or amendments will be posted on this page and, if necessary, communicated to you by e-mail. Please check back regularly to see any updates or changes to our privacy policy.
This policy was last updated on the 9th of October, 2024.

Re: [Klonan] Space Age Website Inaccuracies
Hello,
While re-reading the Privacy Policy (again), I noticed references to “Wikimedia” as a Data Processor:
While re-reading the Privacy Policy (again), I noticed references to “Wikimedia” as a Data Processor:
To the best of my knowledge, the Wikimedia Foundation does not and has never hosted Wiki websites outside of their owned domains (eg, Wikipedia, Wiktionary, Wikibooks….). They do provide the MediaWiki software on an open source basis for others to run their own websites, but this SHOULD NOT result in Wikimedia themselves being a Data Processor? There are external Hosting companies which offer MediaWiki services (such as Fandom, formerly known as Wikia); however it does not appear that the Factorio Wiki uses any such service. If the Wiki is entirely self-hosted by Wube (using servers on Linode or Heroku) then why is Wikimedia listed at all?Wikimedia for our Official Factorio wiki, where you can find useful info and gameplay tips. Wikimedia does not collect much of your personal data, but your IP address will be recorded if you request an account. It has its own privacy policy here, which only applies if you register a Wiki account.
Last edited by eugenekay on Tue Nov 26, 2024 2:32 am, edited 1 time in total.
Re: [Klonan] Space Age Website Inaccuracies
(Last thing, I promise!)
The Company Details in the various Privacy Policies show different addresses for Wube Software. In the official Privacy Policy:
Whereas the Factorio Wiki Privacy Policy (last updated 21 November 2018, at 15:40) states:
According to the public filing history at UK’ Company House Website this address was changed on 09 Apr 2021.
The Company Details in the various Privacy Policies show different addresses for Wube Software. In the official Privacy Policy:
(Note: The standard for UK company Numbers is to use the full 8 digits, including any leading 0, or 2-Character prefix + 6 digits as applicable.)Our complete company details are:
WUBE Software Ltd (Company reg. no: 9201188)
Registered Seat: 41 Devonshire Street, Ground Floor, London, W1G 7AJ
Whereas the Factorio Wiki Privacy Policy (last updated 21 November 2018, at 15:40) states:
As mentioned previously, the Forum Privacy Policy does not clarify if it is hosted by Wube directly, through phpBB, or another third-party hosting organization, nor does it contain a hyperlink to the top-level Privacy Policy.Personal Data controller in relation to this Wiki page is WUBE Software Ltd., company number 09201188, with registered office address: 3 Gower Street, London, United Kingdom, WC1 6HA
According to the public filing history at UK’ Company House Website this address was changed on 09 Apr 2021.
- BraveCaperCat
- Filter Inserter
- Posts: 460
- Joined: Mon Jan 15, 2024 10:10 pm
- Contact:
Re: [Klonan] Space Age Website Inaccuracies
As seen on the about us page, wube isn't in london... It's in czech republic.eugenekay wrote: Mon Nov 25, 2024 10:34 pm (Last thing, I promise!)
The Company Details in the various Privacy Policies show different addresses for Wube Software. In the official Privacy Policy:(Note: The standard for UK company Numbers is to use the full 8 digits, including any leading 0, or 2-Character prefix + 6 digits as applicable.)Our complete company details are:
WUBE Software Ltd (Company reg. no: 9201188)
Registered Seat: 41 Devonshire Street, Ground Floor, London, W1G 7AJ
Whereas the Factorio Wiki Privacy Policy (last updated 21 November 2018, at 15:40) states:As mentioned previously, the Forum Privacy Policy does not clarify if it is hosted by Wube directly, through phpBB, or another third-party hosting organization, nor does it contain a hyperlink to the top-level Privacy Policy.Personal Data controller in relation to this Wiki page is WUBE Software Ltd., company number 09201188, with registered office address: 3 Gower Street, London, United Kingdom, WC1 6HA
According to the public filing history at UK’ Company House Website this address was changed on 09 Apr 2021.
Note that I'm not a legal or business expert, or know much about any of that...
Creator of multiple mods, including Quality Assurance - My most popular one.
Go check them out with the first and second links!
I'll probably be wanting or giving help with modding most of the time I spend here on the forum.
Go check them out with the first and second links!
I'll probably be wanting or giving help with modding most of the time I spend here on the forum.
Re: [Klonan] Space Age Website Inaccuracies
Nope! The Privacy Policy clearly states that the “Czech branch” is not the same entity as the UK corporation:
WUBE SOFTWARE Ltd. odštěpný závod, registered with the Company register of the Czech Republic under no. 03594009 – our Czech branch.
- IsaacOscar
- Filter Inserter
- Posts: 843
- Joined: Sat Nov 09, 2024 2:36 pm
- Contact:
Re: [Klonan] Space Age Website Inaccuracies
A couple of minor issues I've found, when I'm logged in (I have both the base game and space age purchased) it gives me an option to buy space age:
I would expect either both buy buttons to be hidden (or preferably), both to be shown.
Whereas when I log out: I get a button to buy the base game and space age, and the buttons show in both the "game" and "Space age" drop downs.
However, there is still no buy button when I click the "space age button": Also the rocket is the old model, not the new 2.0/Space Age one: It should look like this:
But only when I click the "Game" tab, the option isn't shown in the drop downs for "Game" or "Space Age", nor on the page when you click "Space Age".I would expect either both buy buttons to be hidden (or preferably), both to be shown.
Whereas when I log out: I get a button to buy the base game and space age, and the buttons show in both the "game" and "Space age" drop downs.
However, there is still no buy button when I click the "space age button": Also the rocket is the old model, not the new 2.0/Space Age one: It should look like this:
- BraveCaperCat
- Filter Inserter
- Posts: 460
- Joined: Mon Jan 15, 2024 10:10 pm
- Contact:
Re: [Klonan] Space Age Website Inaccuracies
Another website problem: When logging into the mod portal through steam, it brings me back to the main website. And when doing this on a mobile device with the steam mobile app installed, it tries to open the steam app to login - which doesn't work at all. That last part seems more like a steam issue than a Factorio issue, but I mentioned it anyway, since it was related. Also, the mod portal and main website are signing out so much more than the forums - I had to go offline on the forums for months before it signed me out, but for the mod portal and main website (on a per-device basis) it only takes a few hours to automatically sign out. Note that I only login to the mod portal and main website through steam.
Creator of multiple mods, including Quality Assurance - My most popular one.
Go check them out with the first and second links!
I'll probably be wanting or giving help with modding most of the time I spend here on the forum.
Go check them out with the first and second links!
I'll probably be wanting or giving help with modding most of the time I spend here on the forum.
Re: [Klonan] Space Age Website Inaccuracies
This Bug Report was raised for Factual inaccuracies in the website copy, not for graphical or Cookie persistence issues. Please consider a New Topic. 

Re: [Klonan] Space Age Website Inaccuracies
Hello,
Sorry to post again, but I have discovered another issue within the Privacy Policy / Website Cookies:
From a Normal window (Logged-In): If "Remember Me" is checked, an additional cookie "wube_remember_token" is also placed, which does have the Expires field set, however it LACKS the "Secure" field. This means that this Cookie may be sent over HTTP requests, which represents a potential Security issue. This is somewhat mitigated by the fact that the Factorio.com presents a "strict-transport-security" header (aka HSTS header), so a compliant browser should stick to HTTPS requests. The forums do NOT supply this "strict-transport-security" header, so it is possible (with a HTTP-downgrade aka Man-in-the-Middle attack) to intercept requests here and obtain this cookie!
If logged-in to the Forums Website then additional "phpbb3_" cookies are placed. However, these are NOT Subdomain Restricted and are sent on every request to WWW.factorio.com, Mods.factorio.com, etc. This increases the risks of a XSS vulnerability on those websites, since it is additional user tokens which may be collected.
The Wiki appears to set a "mediawiki_wiki_session" cookie, even when Logged-Out; it does Contain the "Secure" flag. However, the Wiki subdomain does NOT supply the "strict-transport-security" header, similar to the Forums. The Terms of Service was last updated in 2019 (the text says 2018?), and contains similar language to the original Privacy Policy (eg, "Factorio 2" references). It also claims "In case of legal dispute, the governing laws of the Czech Republic will apply.", which.... is counter to the assertion that Wube Software is a UK Company?
Thank you for reading.
Sorry to post again, but I have discovered another issue within the Privacy Policy / Website Cookies:
From an InPrivate / Incognito window (not Logged-in): There is a cookie named "session" which is sent to the User's browser on first-visit to the Factorio domain. This is stored on the user's computer for the length of the Browser Session, and is submitted to all *.factorio.com servers (including the Forums) on each request. This session cookie is used when Signed-in (with "Remember Me" unchecked, and does not change. This seems to be in contravention of the Privacy Policy, which states that only "registered users" receive Cookies.USE OF COOKIES AND JAVASCRIPT
To better adapt our services to your requirements our website uses cookies – small files stored in your device that contain data related to your activity on our website. We only use cookies with registered users. You can always change your cookies settings in your browser or refuse accepting cookies altogether. The change in settings can, however, adversely affect the functioning of some parts of the website for you.
From a Normal window (Logged-In): If "Remember Me" is checked, an additional cookie "wube_remember_token" is also placed, which does have the Expires field set, however it LACKS the "Secure" field. This means that this Cookie may be sent over HTTP requests, which represents a potential Security issue. This is somewhat mitigated by the fact that the Factorio.com presents a "strict-transport-security" header (aka HSTS header), so a compliant browser should stick to HTTPS requests. The forums do NOT supply this "strict-transport-security" header, so it is possible (with a HTTP-downgrade aka Man-in-the-Middle attack) to intercept requests here and obtain this cookie!
If logged-in to the Forums Website then additional "phpbb3_" cookies are placed. However, these are NOT Subdomain Restricted and are sent on every request to WWW.factorio.com, Mods.factorio.com, etc. This increases the risks of a XSS vulnerability on those websites, since it is additional user tokens which may be collected.
The Wiki appears to set a "mediawiki_wiki_session" cookie, even when Logged-Out; it does Contain the "Secure" flag. However, the Wiki subdomain does NOT supply the "strict-transport-security" header, similar to the Forums. The Terms of Service was last updated in 2019 (the text says 2018?), and contains similar language to the original Privacy Policy (eg, "Factorio 2" references). It also claims "In case of legal dispute, the governing laws of the Czech Republic will apply.", which.... is counter to the assertion that Wube Software is a UK Company?

Thank you for reading.
- BraveCaperCat
- Filter Inserter
- Posts: 460
- Joined: Mon Jan 15, 2024 10:10 pm
- Contact:
Re: [Klonan] Space Age Website Inaccuracies
You: *Posts about cookie issues*eugenekay wrote: Tue Nov 26, 2024 2:11 am This Bug Report was raised for Factual inaccuracies in the website copy, not for graphical or Cookie persistence issues. Please consider a New Topic.![]()
Me: *Makes a post about it*eugenekay wrote: Fri Dec 13, 2024 6:25 pm Hello,
Sorry to post again, but I have discovered another issue within the Privacy Policy / Website Cookies:From an InPrivate / Incognito window (not Logged-in): There is a cookie named "session" which is sent to the User's browser on first-visit to the Factorio domain. This is stored on the user's computer for the length of the Browser Session, and is submitted to all *.factorio.com servers (including the Forums) on each request. This session cookie is used when Signed-in (with "Remember Me" unchecked, and does not change. This seems to be in contravention of the Privacy Policy, which states that only "registered users" receive Cookies.USE OF COOKIES AND JAVASCRIPT
To better adapt our services to your requirements our website uses cookies – small files stored in your device that contain data related to your activity on our website. We only use cookies with registered users. You can always change your cookies settings in your browser or refuse accepting cookies altogether. The change in settings can, however, adversely affect the functioning of some parts of the website for you.
From a Normal window (Logged-In): If "Remember Me" is checked, an additional cookie "wube_remember_token" is also placed, which does have the Expires field set, however it LACKS the "Secure" field. This means that this Cookie may be sent over HTTP requests, which represents a potential Security issue. This is somewhat mitigated by the fact that the Factorio.com presents a "strict-transport-security" header (aka HSTS header), so a compliant browser should stick to HTTPS requests. The forums do NOT supply this "strict-transport-security" header, so it is possible (with a HTTP-downgrade aka Man-in-the-Middle attack) to intercept requests here and obtain this cookie!
If logged-in to the Forums Website then additional "phpbb3_" cookies are placed. However, these are NOT Subdomain Restricted and are sent on every request to WWW.factorio.com, Mods.factorio.com, etc. This increases the risks of a XSS vulnerability on those websites, since it is additional user tokens which may be collected.
The Wiki appears to set a "mediawiki_wiki_session" cookie, even when Logged-Out; it does Contain the "Secure" flag. However, the Wiki subdomain does NOT supply the "strict-transport-security" header, similar to the Forums. The Terms of Service was last updated in 2019 (the text says 2018?), and contains similar language to the original Privacy Policy (eg, "Factorio 2" references). It also claims "In case of legal dispute, the governing laws of the Czech Republic will apply.", which.... is counter to the assertion that Wube Software is a UK Company?
Thank you for reading.
You: *Posts about why what you posted isn't a cookie persistence issue, and you said that this isn't a topic for cookie persistence issue*BraveCaperCat wrote: Fri Dec 13, 2024 8:42 pmYou: *Posts about cookie issues*eugenekay wrote: Tue Nov 26, 2024 2:11 am This Bug Report was raised for Factual inaccuracies in the website copy, not for graphical or Cookie persistence issues. Please consider a New Topic.![]()
Me: *Makes a post about it*eugenekay wrote: Fri Dec 13, 2024 6:25 pm Hello,
Sorry to post again, but I have discovered another issue within the Privacy Policy / Website Cookies:From an InPrivate / Incognito window (not Logged-in):USE OF COOKIES AND JAVASCRIPT
To better adapt our services to your requirements our website uses cookies – small files stored in your device that contain data related to your activity on our website. We only use cookies with registered users. You can always change your cookies settings in your browser or refuse accepting cookies altogether. The change in settings can, however, adversely affect the functioning of some parts of the website for you.
Screenshot 2024-12-13 130336.png
There is a cookie named "session" which is sent to the User's browser on first-visit to the Factorio domain. This is stored on the user's computer for the length of the Browser Session, and is submitted to all *.factorio.com servers (including the Forums) on each request. This session cookie is used when Signed-in (with "Remember Me" unchecked, and does not change. This seems to be in contravention of the Privacy Policy, which states that only "registered users" receive Cookies.
From a Normal window (Logged-In):
Screenshot 2024-12-13 130934.png
If "Remember Me" is checked, an additional cookie "wube_remember_token" is also placed, which does have the Expires field set, however it LACKS the "Secure" field. This means that this Cookie may be sent over HTTP requests, which represents a potential Security issue. This is somewhat mitigated by the fact that the Factorio.com presents a "strict-transport-security" header (aka HSTS header), so a compliant browser should stick to HTTPS requests. The forums do NOT supply this "strict-transport-security" header, so it is possible (with a HTTP-downgrade aka Man-in-the-Middle attack) to intercept requests here and obtain this cookie!
If logged-in to the Forums Website then additional "phpbb3_" cookies are placed. However, these are NOT Subdomain Restricted and are sent on every request to WWW.factorio.com, Mods.factorio.com, etc. This increases the risks of a XSS vulnerability on those websites, since it is additional user tokens which may be collected.
The Wiki appears to set a "mediawiki_wiki_session" cookie, even when Logged-Out; it does Contain the "Secure" flag. However, the Wiki subdomain does NOT supply the "strict-transport-security" header, similar to the Forums. The Terms of Service was last updated in 2019 (the text says 2018?), and contains similar language to the original Privacy Policy (eg, "Factorio 2" references). It also claims "In case of legal dispute, the governing laws of the Czech Republic will apply.", which.... is counter to the assertion that Wube Software is a UK Company?
Thank you for reading.
You: *Posts about why what you posted isn't a cookie persistence issue, and you said that this isn't a topic for cookie persistence issue*
FutureYou wrote: What I posted wasn't about cookie persistence issues, it's about the existence of cookies at all when logged out. This is contrary to the assumption that the privacy policy doesn't permit cookies on any factorio.com sub domains while logged out.
FutureYou wrote:What I posted wasn't about cookie persistence issues, it's about the existence of cookies at all when logged out. This is contrary to the assumption that the privacy policy doesn't permit cookies on any factorio.com sub domains while logged out.BraveCaperCat wrote: Fri Dec 13, 2024 8:42 pmYou: *Posts about cookie issues*eugenekay wrote: Tue Nov 26, 2024 2:11 am This Bug Report was raised for Factual inaccuracies in the website copy, not for graphical or Cookie persistence issues. Please consider a New Topic.![]()
Me: *Makes a post about it*eugenekay wrote: Fri Dec 13, 2024 6:25 pm Hello,
Sorry to post again, but I have discovered another issue within the Privacy Policy / Website Cookies:From an InPrivate / Incognito window (not Logged-in):USE OF COOKIES AND JAVASCRIPT
To better adapt our services to your requirements our website uses cookies – small files stored in your device that contain data related to your activity on our website. We only use cookies with registered users. You can always change your cookies settings in your browser or refuse accepting cookies altogether. The change in settings can, however, adversely affect the functioning of some parts of the website for you.
Screenshot 2024-12-13 130336.png
There is a cookie named "session" which is sent to the User's browser on first-visit to the Factorio domain. This is stored on the user's computer for the length of the Browser Session, and is submitted to all *.factorio.com servers (including the Forums) on each request. This session cookie is used when Signed-in (with "Remember Me" unchecked, and does not change. This seems to be in contravention of the Privacy Policy, which states that only "registered users" receive Cookies.
From a Normal window (Logged-In):
Screenshot 2024-12-13 130934.png
If "Remember Me" is checked, an additional cookie "wube_remember_token" is also placed, which does have the Expires field set, however it LACKS the "Secure" field. This means that this Cookie may be sent over HTTP requests, which represents a potential Security issue. This is somewhat mitigated by the fact that the Factorio.com presents a "strict-transport-security" header (aka HSTS header), so a compliant browser should stick to HTTPS requests. The forums do NOT supply this "strict-transport-security" header, so it is possible (with a HTTP-downgrade aka Man-in-the-Middle attack) to intercept requests here and obtain this cookie!
If logged-in to the Forums Website then additional "phpbb3_" cookies are placed. However, these are NOT Subdomain Restricted and are sent on every request to WWW.factorio.com, Mods.factorio.com, etc. This increases the risks of a XSS vulnerability on those websites, since it is additional user tokens which may be collected.
The Wiki appears to set a "mediawiki_wiki_session" cookie, even when Logged-Out; it does Contain the "Secure" flag. However, the Wiki subdomain does NOT supply the "strict-transport-security" header, similar to the Forums. The Terms of Service was last updated in 2019 (the text says 2018?), and contains similar language to the original Privacy Policy (eg, "Factorio 2" references). It also claims "In case of legal dispute, the governing laws of the Czech Republic will apply.", which.... is counter to the assertion that Wube Software is a UK Company?
Thank you for reading.
You: *Posts about why what you posted isn't a cookie persistence issue, and you said that this isn't a topic for cookie persistence issue*
FutureYou wrote: What I posted wasn't about cookie persistence issues, it's about the existence of cookies at all when logged out. This is contrary to the assumption that the privacy policy doesn't permit cookies on any factorio.com sub domains while logged out.
Last edited by BraveCaperCat on Fri Dec 13, 2024 8:44 pm, edited 1 time in total.
Creator of multiple mods, including Quality Assurance - My most popular one.
Go check them out with the first and second links!
I'll probably be wanting or giving help with modding most of the time I spend here on the forum.
Go check them out with the first and second links!
I'll probably be wanting or giving help with modding most of the time I spend here on the forum.
Re: [Klonan] Space Age Website Inaccuracies
Do you usually go on the internet to pick fights?


- BraveCaperCat
- Filter Inserter
- Posts: 460
- Joined: Mon Jan 15, 2024 10:10 pm
- Contact:
Re: [Klonan] Space Age Website Inaccuracies
No, it was a joke! You didn't wait until I edited it...
I did however read your previous post in a serious manner and understand that the issue goes beyond PP and ToS issues. (at least, I think so... not sure.)
Last edited by BraveCaperCat on Fri Dec 13, 2024 8:53 pm, edited 1 time in total.
Creator of multiple mods, including Quality Assurance - My most popular one.
Go check them out with the first and second links!
I'll probably be wanting or giving help with modding most of the time I spend here on the forum.
Go check them out with the first and second links!
I'll probably be wanting or giving help with modding most of the time I spend here on the forum.
Re: [Klonan] Space Age Website Inaccuracies
It’s still not funny?
This is a serious Report covering, among other things, a Potential Security Issue stemming from insecure usage of Cookies containing a Secret that allows user Impersonation and account takeover. It has been reported to support@factorio.com in the absence of a responsible disclosure process. This was discovered from a close reading of the Privacy Policy, which is a legal document outlining your rights.
This is a serious Report covering, among other things, a Potential Security Issue stemming from insecure usage of Cookies containing a Secret that allows user Impersonation and account takeover. It has been reported to support@factorio.com in the absence of a responsible disclosure process. This was discovered from a close reading of the Privacy Policy, which is a legal document outlining your rights.
- BraveCaperCat
- Filter Inserter
- Posts: 460
- Joined: Mon Jan 15, 2024 10:10 pm
- Contact:
Re: [Klonan] Space Age Website Inaccuracies
Well then, other than the serious report bit - I guess my joke wasn't a very good joke.eugenekay wrote: Fri Dec 13, 2024 8:50 pm It’s still not funny?
This is a serious Report covering, among other things, a Potential Security Issue stemming from insecure usage of Cookies containing a Secret that allows user Impersonation and account takeover. It has been reported to support@factorio.com in the absence of a responsible disclosure process. This was discovered from a close reading of the Privacy Policy, which is a legal document outlining your rights.
Creator of multiple mods, including Quality Assurance - My most popular one.
Go check them out with the first and second links!
I'll probably be wanting or giving help with modding most of the time I spend here on the forum.
Go check them out with the first and second links!
I'll probably be wanting or giving help with modding most of the time I spend here on the forum.
Re: [Klonan] Space Age Website Inaccuracies
Hello,eugenekay wrote: Fri Dec 13, 2024 6:25 pm Hello,
Sorry to post again, but I have discovered another issue within the Privacy Policy / Website Cookies:From an InPrivate / Incognito window (not Logged-in):USE OF COOKIES AND JAVASCRIPT
To better adapt our services to your requirements our website uses cookies – small files stored in your device that contain data related to your activity on our website. We only use cookies with registered users. You can always change your cookies settings in your browser or refuse accepting cookies altogether. The change in settings can, however, adversely affect the functioning of some parts of the website for you.
Screenshot 2024-12-13 130336.png
There is a cookie named "session" which is sent to the User's browser on first-visit to the Factorio domain. This is stored on the user's computer for the length of the Browser Session, and is submitted to all *.factorio.com servers (including the Forums) on each request. This session cookie is used when Signed-in (with "Remember Me" unchecked, and does not change. This seems to be in contravention of the Privacy Policy, which states that only "registered users" receive Cookies.
From a Normal window (Logged-In):
Screenshot 2024-12-13 130934.png
If "Remember Me" is checked, an additional cookie "wube_remember_token" is also placed, which does have the Expires field set, however it LACKS the "Secure" field. This means that this Cookie may be sent over HTTP requests, which represents a potential Security issue. This is somewhat mitigated by the fact that the Factorio.com presents a "strict-transport-security" header (aka HSTS header), so a compliant browser should stick to HTTPS requests. The forums do NOT supply this "strict-transport-security" header, so it is possible (with a HTTP-downgrade aka Man-in-the-Middle attack) to intercept requests here and obtain this cookie!
If logged-in to the Forums Website then additional "phpbb3_" cookies are placed. However, these are NOT Subdomain Restricted and are sent on every request to WWW.factorio.com, Mods.factorio.com, etc. This increases the risks of a XSS vulnerability on those websites, since it is additional user tokens which may be collected.
The Wiki appears to set a "mediawiki_wiki_session" cookie, even when Logged-Out; it does Contain the "Secure" flag. However, the Wiki subdomain does NOT supply the "strict-transport-security" header, similar to the Forums. The Terms of Service was last updated in 2019 (the text says 2018?), and contains similar language to the original Privacy Policy (eg, "Factorio 2" references). It also claims "In case of legal dispute, the governing laws of the Czech Republic will apply.", which.... is counter to the assertion that Wube Software is a UK Company?
Thank you for reading.
It has been almost 6 months since this Bug was originally opened / placed into Assigned. There is still a disagreement between the various "Last Updated" dates in the Privacy Policy, and when their contents were actually changed. No changes to Cookie Policy or Security have been observed. There is still some confusion as to Wube Software's legal status as a UK or Czech company.
Thank you for reading.
-Eugene
Re: [Klonan] Space Age Website Inaccuracies
Fixedeugenekay wrote: Mon Nov 25, 2024 10:34 pm (Last thing, I promise!)
The Company Details in the various Privacy Policies show different addresses for Wube Software. In the official Privacy Policy
Fixed (Changed to just say Factorio wiki)eugenekay wrote: Mon Nov 25, 2024 9:41 pm If the Wiki is entirely self-hosted by Wube (using servers on Linode or Heroku) then why is Wikimedia listed at all?
Fixedeugenekay wrote: Mon Nov 25, 2024 9:00 pm However, the Updated Date at the bottom of the Document was not changed
I don't think small corrections and typos count as changes large enough to require an email notification (which, is only if necessary).
(Any future changes or amendments will be posted on this page and, if necessary, communicated to you by e-mail.)
Fixedeugenekay wrote: Fri Nov 08, 2024 12:03 am On the Space Age Presskit the last paragraph lists the release date in future tense “will release on October 21st 2024”; not the expected “was released on October 21st, 2024”.