Factorio Forums

Currently it is possible to edit other peoples licences with the edit license link.

https://mods.factorio.com/licenses/edit ... 8274f1c64a

I shared a similar link to a friend (the only difference being that it was directed to a different license) and they could edit it.
This is an also a problem because I believe you can reverse engineer the Hexadecimal code connected to the licenses if you tried. My two licenses I have share a similar string when as a url and I think this is not by chance.

License: MITime .../edit/69efXXXXba77188274f1c6XX
License: BugBuggo .../edit/69efe30cba77188274f1c64a

Hopefully this makes sense but I have left the link up top as an example just to show what I mean.

Edit: I also checked if you can edit the license without being logged in to the portal and it says you need to be logged in to view the page. So it does need AN account to be viewed, but it doesn't check whose account.

I was able to edit and update the aforementioned licenses with just the links sent, while logged into my own mod portal account.

Thanks for the report. This issue has now been fixed. In general it would be nice receive reports like this via mail and not through this public channel

Oops, sorry. At least it is fixed now

An official "Disclosure Contact" which is monitored and responds to inquiries would be nice to see - there is not a specific address given in the Terms of Service. Previous attempts at Responsible Disclosure by emailing support@factorio.com have gone un-answered (and these phpb33_ cookies are still not subdomain-scoped.... this is an option in the phpBB panel).