HanziQ wrote:Fixed for the next release, thanks for the report.

There are still unanswered questions, though.
Where to report security-related stuff in the future, also here in the forum?

ayahuasca23 wrote:and yeah devs, can we talk privately about that? PM me please.

Should I just post publicly here in this forum?

@ayahuasca23 We must be quantum entangled then.

No but in all seriousness, I was trying to reverse engineer the networking protocol this weekend and stumbled upon it. Changing the hostfile for your PoC exploit is actually pretty clever. I tried to make a PoC by injecting code in the factorio ...

Some other notes:
* You can see the flaw, documented by the devs themselves, if you read https://www.factorio.com/blog/post/fff-139 carefully.
* I planned on submitting it privately, so that the devs would have time to fix it, and only then post about it. Two things: 1. now it's out, anyway 2. there ...

And here's the additional login.sh, with my token removed.
Apache config:
RewriteRule "^/+api-login" "/cgi-bin/login.sh" [PT]

this allows you to still use the multiplayer browser
Hosts file content is as simple as
192.168.0.24 auth.factorio.com

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1 ...

Funny thing... I also found this vulnerability, and worked on it this weekend.
I have a fully working PoC exploit, if anyone is interested. I can join any server with verify-user on, with any username I want, with vanilla 0.15.21 Factorio.
It can be exploited by adding an entry to the hosts file for ...