Exploit: Same SteamID can read the same journals.

Chuckleberry-Finn / Skill-Recovery-Journal

Mod for Project Zomboid which allows users to craft journals, record gained skills, and recover lost skill progression.

https://steamcommunity.com/sharedfiles/filedetails/?id=2503622437

GNU Affero General Public License v3.0

29 stars 32 forks source link

Exploit: Same SteamID can read the same journals. #41

Closed sapphiregraphics closed 1 year ago

sapphiregraphics commented 2 years ago

Due to how your code checks for unique player IDs, players with the same SteamID can read the same journals. On most servers (specifically RP servers) you allow players to 2-3 characters. This means that the SteamID can read all the characters journals.

Other players could also log into someone's account and read their original journal to get the skills and the logout again.

Found by Zoomies.

Chuckleberry-Finn commented 2 years ago

Unfortunately there isn't really a way around this that I can see.