CWE-326: Inadequate Encryption Strength

[Serse12]

Dear Sirs,

While exporting the saves, I found that the generated file consists of a textual string. Upon further analysis, I recognized that it is a Base64 encoding. By deciphering the save, I was able to access the entire log of my events, resources, and other related data.

Next, I made changes to the parameters present in the save, and, once recoded in Base64, I re-imported the resulting string. In doing so, I was able to start a game with the modified values.

I understand that the purpose of the game is to provide a light-hearted and entertaining experience; however, finding exploits of this type can compromise the fun. Therefore, I would like to report this vulnerability to you so that you may consider implementing a more robust encryption algorithm, especially if in the future you should need to include textual strings of a sensitive nature, such as debugging information, in the save.

While I understand that the goal of the game is not to encourage fraudulent behavior, I believe that an improvement in this area could help provide a higher quality product to the community and give you more freedom in managing your save data.

I remain available for any clarifications and extend my warmest regards.

Translated with DeepL.com (free version)

[TinyTakinTeller]

This is on our TODO list (Trello board), but it is of a lowest priority.

Reason being, most single-player games of this type do not take extra steps to prevent or discourage "cheating", as you would "compromise the fun" only for yourself.

Thanks for mentioning though, made me consider moving Trello tickets to github issues. 🤔