Graham Sutherland / Polynomialhappy to report that, while rimworld does helpfully sync the list of mods you've subscribed to on the steam workshop using the cloud save feature, it does not automatically enable those mods when you next play on another machine, which avoids a rather evil scenario where compromising someone's steam account gives you RCE next time they play rimworld.
for a moment I thought I was going to have to open up a security disclosure while I'm sick.
Ölbaum@gsuberland Hope you get better soon.
Eike@gsuberland Do you reckon many games do proper input validation/sanitization on savegames?
Could be an easy enough way in. Steam even helpfully tells you which games were played last.
@_eike sometimes. I found arbitrary file overwrite in C&C Generals via replay files. there have been insecure deserialisation vulns in .NET/mono and Python games before, but I don't see those come up very often these days. games that do their own file parsing logic in c++ are usually the ones with bugs, but it depends, sometimes they just pull in a JSON/BSON library or use protobufs in a way that avoids security issues.