Platform: Windows
ISP: Frontier
Type of Internet Connection: DSL
Internet Connection Speed: 18Mbps
Date & Time: 08.26.2023 - 1:00pm
Frequency: Always
Character Name: N/A
Race: N/A
World: N/A
Main Job: N/A
Support Job: N/A
Area and Coordinates: N/A
Party or Solo: N/A
NPC Name: N/A
Monster Name: N/A
Steps: N/A

I would like to know the best method to report several PlayOnline-related exploits.
I'd rather not post them here on the forum for people to abuse.

You guys don't use anything like HackerOne or similar so another channel would be appreciated. :)

---

Sadly, said communications seem to be getting nowhere as the support team has no way to escalate this properly/further as it needs to be.

I am making an announcement in regards to a major security vulnerability I have recently discovered on retail that can affect literally every single player. At this time, I will not be disclosing the vulnerability publicly, but do wish to help ensure the community is safe the best I can with what I can share at the moment. Due to ongoing issues with getting into contact with `Square Enix`, I feel it's best to still inform the community of measures you can take to help keep your account(s) safe.

If you have ever shared your account with anyone, regardless if they are a friend or family, or if you have purchased an account from another, then I highly encourage you to specifically change your `PlayOnline Password`. Regardless if you have recently changed your `Square Enix` account password, this is critical. Also, even if you have a One-Time Password / security token connected to your account, your account is not safe from this vulnerability.

You can log into the `Square Enix` account management portal to change your password by visiting the `PlayOnline` website and clicking the `Square Enix Account Management System` button at the top. From there you can log into the SE account system and navigate to the proper page to specifically change your accounts `PlayOnline` password. I encourage you to do this for all accounts you have/use.

To Square Enix, please contact me. I am available via email at: atom0s@live.com

This is a serious matter.

expolits should be reported through the STF form or to customer support

You are not a moderator, you could be reported for impersonating one, let him leave it here too, maybe he already did those steps and wants to make sure this is seen.

You are not a moderator, you could be reported for impersonating one, let him leave it here too, maybe he already did those steps and wants to make sure this is seen.

I didn't claim to be a moderator, I'm not impersonating anyone. I simply provided the correct information for your convenience in order to be helpful. I also replied because you're not going to get a response from anyone at SE here, they do not reply to bug report threads. He said he didn't want to post these things publicly (which is the correct course of action), so I told him where it should be posted. This is according to SE's own support site and terms of service, which tells people not to disseminate exploitable bugs and instead report them directly to SE through customer support.


There is no rule that says someone who has knowledge that someone else needs can't post to offer it. Aside from complaining, one of the main purposes of forums is to help our fellow users.

You are not a moderator, you could be reported for impersonating one, let him leave it here too, maybe he already did those steps and wants to make sure this is seen.

I have, reached out in about 5-6 different ways. Just covering the basis to get the best possible outcome of it being seen. :)
Just ignore the forum 'try-hards'.

I have, reached out in about 5-6 different ways. Just covering the basis to get the best possible outcome of it being seen. :)
Just ignore the forum 'try-hards'.
Who's try-harding?

I just gave a rational, logical response and got dumped on for it.

If you submitted it in the proper channels, it will be seen. (Whether anything will be done is another matter, but since you're being rather vague about it, I don't know how serious these exploit(s) actually are). There's no need to post it in every imaginable place, and doing so may just invite more people to try and find the exploits. As I noted, the user agreements cover the discussion of bugs/exploits and what should be done with them. If SE is expecting us to do it a certain way, they'll be listening when we do it that way.

Who's try-harding?

I just gave a rational, logical response and got dumped on for it.

If you submitted it in the proper channels, it will be seen. (Whether anything will be done is another matter, but since you're being rather vague about it, I don't know how serious these exploit(s) actually are). There's no need to post it in every imaginable place, and doing so may just invite more people to try and find the exploits. As I noted, the user agreements cover the discussion of bugs/exploits and what should be done with them. If SE is expecting us to do it a certain way, they'll be listening when we do it that way.

Let's not turn it into a giant debate (again).

Let's not turn it into a giant debate (again).
It certainly wouldn't be my idea. I just gave a simple answer to a simple post, I really didn't expect to be given a hard time for it.

You are not a moderator, you could be reported for impersonating one, let him leave it here too, maybe he already did those steps and wants to make sure this is seen.

Oh ffs, what is your deal? You'd be reported for the same thing by your logic.

Removed the previous comment due to a lack of support communication.

To the forum moderators, this can be closed/marked as handled. :)

Got in touch via email with the proper channels.

Thanks for doing that.

Sadly, said communications seem to be getting nowhere as the support team has no way to escalate this properly/further as it needs to be.

I am making an announcement in regards to a major security vulnerability I have recently discovered on retail that can affect literally every single player. At this time, I will not be disclosing the vulnerability publicly, but do wish to help ensure the community is safe the best I can with what I can share at the moment. Due to ongoing issues with getting into contact with `Square Enix`, I feel it's best to still inform the community of measures you can take to help keep your account(s) safe.

If you have ever shared your account with anyone, regardless if they are a friend or family, or if you have purchased an account from another, then I highly encourage you to specifically change your `PlayOnline Password`. Regardless if you have recently changed your `Square Enix` account password, this is critical. Also, even if you have a One-Time Password / security token connected to your account, your account is not safe from this vulnerability.

You can log into the `Square Enix` account management portal to change your password by visiting the `PlayOnline` website and clicking the `Square Enix Account Management System` button at the top. From there you can log into the SE account system and navigate to the proper page to specifically change your accounts `PlayOnline` password. I encourage you to do this for all accounts you have/use.

To Square Enix, please contact me. I am available via email at: atom0s@live.com

This is a serious matter.

Try posting it on the FFXIV forums, maybe then it will get seen :rolleyes:

Try posting it on the FFXIV forums, maybe then it will get seen :rolleyes:If it was reported in the appropriate channels, it has been seen. The same support staff handles both games. They're not going to publicly comment on a thread about exploits.

even if you have a One-Time Password / security token connected to your account, your account is not safe from this vulnerability.

Thank you for sharing this information.

SE, can we have a response to this please as it potentially could be an serious issue regarding our data protection?

Thank you for sharing this information.

SE, can we have a response to this please as it potentially could be an serious issue regarding our data protection?
No, you can't. If anything, you'll get a statement when it's discovered and fixed.

The OP really shouldn't have said anything at all, becuase it was going to (and did) stoke fear among anyone who saw it.

You can be sure that they aren't going to want to deal with the fallout that would occur if something like this were to actually happen, which is exactly why they can not discuss such issues until after they're already fixed. These sorts of things have occured before. If people know about these things they can exploit them, which is the whole reason the OP didn't originally want to say anything about it in the first place. This is a sensitive topic and not the sort of thing a community rep can just freely discuss.

No, you can't. If anything, you'll get a statement when it's discovered and fixed.

Erm.. Isn't that what I literately just asked for in my post?

Although, if this is about shared or other accounts then it is not an issue for me as I never have shared an account. It's the comment about the Securekey I was mainly focusing on.

Erm.. Isn't that what I literately just asked for in my post?

Well, it sounded to me more like you wanted an SE response right now. Which is why I said, with the nature of something like this you're not going to get one until it's been addressed, because if they talk about it beforehand, it risks the issue being tested and exploited by users in the meantime.

Also, I have checked around, the OP above also tweeted (or is it X'ed, now?) at SE and at a minimum, community reps are aware of this thread at the very least.

The OP really shouldn't have said anything at all, becuase it was going to (and did) stoke fear among anyone who saw it.

I disagree. This is the best way to get things addressed when his previous attempts failed. Something similar happened in the Dark Souls community. There was a RCE exploit that was possible in all three Dark Souls games, and likely the then-upcoming Elden Ring as well. Reporting multiple times through official channels did nothing. Only blasting loudly on Reddit finally got an acknowledgement, and a fix shortly thereafter.

I disagree. This is the best way to get things addressed when his previous attempts failed. Except, his previous attempsts didn't fail in any way. Not getting a response != a failed attempt. They don't and shouldn't respond to issues like this until they are fixed.

Like I said above, this thread has been seen by staff as has any interaction with support. If they (or anyone else) is expecting a magic wand to be waved to instantly fix the problem, they're setting themselves up for disappointment.



Only blasting loudly on Reddit finally got an acknowledgement, and a fix shortly thereafter. Other companies are other companies. SE has addressed other such exploits in the past, and notification was only given after the fact.

Except, his previous attempsts didn't fail in any way. Not getting a response != a failed attempt. They don't and shouldn't respond to issues like this until they are fixed.
While I agree on that they should not respond with any details until fixed, I do think they should respond with /something/. Like, "thank you for the report, we will definitely look into it!".


Like I said above, this thread has been seen by staff as has any interaction with support.
I slightly doubt that since this has not been moved to "not a bug report" or other yet. :]

Except, his previous attempsts didn't fail in any way. Not getting a response != a failed attempt. They don't and shouldn't respond to issues like this until they are fixed.

Like I said above, this thread has been seen by staff as has any interaction with support. If they (or anyone else) is expecting a magic wand to be waved to instantly fix the problem, they're setting themselves up for disappointment.

I was never demanding that SE should answer right now, but this info SHOULD be posted, widely and often, until it's acknowledged. Until that time, it should be assumed the info hasn't made its way to the development team.

I was never demanding that SE should answer right now, but this info SHOULD be posted, widely and often, until it's acknowledged. Until that time, it should be assumed the info hasn't made its way to the development team.
It absolutely should not be assumed at all. You do not comment on sensitive security issues unless you have a resolution or at least a workaround action that can be taken for safety. You do not stir your playerbase into a panic without a really good reason


And frankly, this is all under the assumption that this threat is real. Anyone can just come on here and say "THERE'S A SECURITY THREAT!". Which is why I wouldn't stress over it. If it's real it will be taken seriously and they're already working on it.

But there's something odd about this whole thing. The advice givern is to change your POL password. This implies someone has obtained this information from some source and is actively using it against others. If it was an actual bug or issue with the POL client itself, I don't think simply changing your POL password would protect you from it.