[Site][URGENT] Factorio.com user profile cookie collision or false transmission

Post your bugs and problems so we can fix them.
Post Reply
User avatar
TruePikachu
Filter Inserter
Filter Inserter
Posts: 902
Joined: Sat Apr 09, 2016 8:39 pm
Contact:

[Site][URGENT] Factorio.com user profile cookie collision or false transmission

Post by TruePikachu » Wed Nov 06, 2019 11:45 pm

In response to someone making a post on Reddit claiming that the site doesn't hash passwords, with the claim of a plaintext password listed on the profile page, I made a screenshot of my profile page, dropped it into MS Paint, did normal information-censoring stuff on it to mask my token and e-mail address, and uploaded it to Imgur to post as a comment.
Image

Shortly afterwards, I opened the page again, and it lists me as someone completely different:
Untitled.png
Untitled.png (7.34 KiB) Viewed 444 times
I do not own this account, and yet it appears that, for all intents and purposes, I had logged in as it. I did not try performing any operations as said user with the sole exception of accessing the Steam profile page of the linked account (and only for the purpose of verifying it was not mine). I have now logged out of that account, re-logged into my own, and invalidated my token (though I don't know what good that will do, if it doesn't invalidate login sessions in web browsers).

User avatar
Jon8RFC
Filter Inserter
Filter Inserter
Posts: 476
Joined: Tue May 10, 2016 3:39 pm
Contact:

Re: [Site][URGENT] Factorio.com user profile cookie collision or false transmission

Post by Jon8RFC » Thu Nov 07, 2019 5:09 am

Not sure if it relates but I noticed a few days ago that factorio.com fails to go through ssllabs.com testing due to a "certificate name mismatch" and then "unable to obtain certificate" after clicking to proceed anyway. I've tested it, many times, in the past and it went through without a hitch. forums.factorio.com (the ipv4 version) still goes through the tests.

And, when I wanted to check if the IPs were the same, I was on factorio.com/login and saw that the IP was 3.something in my browser (I have a plugin which shows the IP address of each page), and I refreshed and it was back to 104.24.1.109. Strange. I was going to write it down but lost my train of thought. I'm hoping I can catch it again.

EDIT:
Around 6pm Central time, today November 6, I was also unable to download the factorio zip. It would start, go through various amounts of completion, like 0.3gb up to 1.2gb, and just do a dead stop after a very short period. It always went at full 500mbit speed so it seemed fine. I could start a new download with no problem, and it would go and eventually just grind to a halt. That happened for a good 10 minutes until I finally managed to get a complete download.

EDIT 2019-11-07 9:13 AM UTC:
Looks like a website move was in progress/incomplete. Seems like things are working better now. DNS records have been properly updated as well.
Image

User avatar
Sanqui
Factorio Staff
Factorio Staff
Posts: 131
Joined: Mon May 07, 2018 7:22 pm
Contact:

Re: [Site][URGENT] Factorio.com user profile cookie collision or false transmission

Post by Sanqui » Thu Nov 07, 2019 11:58 am

TruePikachu, thank you for bringing this to our attention. This is certainly a problem with caching at Cloudflare so I have disabled it for now.

Jon8RFC, thanks for the info. I'm not sure why Factorio.com didn't pass through SSL Labs but I think it's a bug on their site, because our certs are correct. If at one point you got a different IP, that's also not a problem, presumably you simply got the site behind Cloudflare. Since Cloudflare is disabled now, the IPs are different.

I'm investigating the full scope of this problem and should have more information very soon. Regardless, at this point it should not be happening any more. I can also confirm that no actions were performable with the other account that were possibly visible.
ovo

User avatar
TruePikachu
Filter Inserter
Filter Inserter
Posts: 902
Joined: Sat Apr 09, 2016 8:39 pm
Contact:

Re: [Site][URGENT] Factorio.com user profile cookie collision or false transmission

Post by TruePikachu » Thu Nov 07, 2019 3:41 pm

Given that it persisted me as the user on page reload (including cache-bypass reload) and navigation to another page, but not when I opened the profile page via direct URL in a private Firefox session, I'm not 100% sure it was just Cloudflare serving cached versions of all those pages "by coincidence"; I'd have thought one of the pages (the profile one) should have also set/updated a cookie. Regardless, I didn't save the jar, so there's no way to really tell now unless the issue comes up again.

Post Reply

Return to “Bug Reports”

Who is online

Users browsing this forum: No registered users