PlayOnline Exploits

[Sp1cyryan]

To the forum moderators, this can be closed/marked as handled.

Got in touch via email with the proper channels.

Thanks for doing that.

[atom0s]

Sadly, said communications seem to be getting nowhere as the support team has no way to escalate this properly/further as it needs to be.

I am making an announcement in regards to a major security vulnerability I have recently discovered on retail that can affect literally every single player. At this time, I will not be disclosing the vulnerability publicly, but do wish to help ensure the community is safe the best I can with what I can share at the moment. Due to ongoing issues with getting into contact with `Square Enix`, I feel it's best to still inform the community of measures you can take to help keep your account(s) safe.

If you have ever shared your account with anyone, regardless if they are a friend or family, or if you have purchased an account from another, then I highly encourage you to specifically change your `PlayOnline Password`. Regardless if you have recently changed your `Square Enix` account password, this is critical. Also, even if you have a One-Time Password / security token connected to your account, your account is not safe from this vulnerability.

You can log into the `Square Enix` account management portal to change your password by visiting the `PlayOnline` website and clicking the `Square Enix Account Management System` button at the top. From there you can log into the SE account system and navigate to the proper page to specifically change your accounts `PlayOnline` password. I encourage you to do this for all accounts you have/use.

To Square Enix, please contact me. I am available via email at: atom0s@live.com

This is a serious matter.

[Immortal]

Try posting it on the FFXIV forums, maybe then it will get seen

[Alhanelem]

Try posting it on the FFXIV forums, maybe then it will get seen

If it was reported in the appropriate channels, it has been seen. The same support staff handles both games. They're not going to publicly comment on a thread about exploits.

[Sirmarki]

even if you have a One-Time Password / security token connected to your account, your account is not safe from this vulnerability.

Thank you for sharing this information.

SE, can we have a response to this please as it potentially could be an serious issue regarding our data protection?

[Alhanelem]

Thank you for sharing this information.

SE, can we have a response to this please as it potentially could be an serious issue regarding our data protection?

No, you can't. If anything, you'll get a statement when it's discovered and fixed.

The OP really shouldn't have said anything at all, becuase it was going to (and did) stoke fear among anyone who saw it.

You can be sure that they aren't going to want to deal with the fallout that would occur if something like this were to actually happen, which is exactly why they can not discuss such issues until after they're already fixed. These sorts of things have occured before. If people know about these things they can exploit them, which is the whole reason the OP didn't originally want to say anything about it in the first place. This is a sensitive topic and not the sort of thing a community rep can just freely discuss.

[Sirmarki]

No, you can't. If anything, you'll get a statement when it's discovered and fixed.

Erm.. Isn't that what I literately just asked for in my post?

Although, if this is about shared or other accounts then it is not an issue for me as I never have shared an account. It's the comment about the Securekey I was mainly focusing on.

[Alhanelem]

Erm.. Isn't that what I literately just asked for in my post?

Well, it sounded to me more like you wanted an SE response right now. Which is why I said, with the nature of something like this you're not going to get one until it's been addressed, because if they talk about it beforehand, it risks the issue being tested and exploited by users in the meantime.

Also, I have checked around, the OP above also tweeted (or is it X'ed, now?) at SE and at a minimum, community reps are aware of this thread at the very least.

[Catmato]

The OP really shouldn't have said anything at all, becuase it was going to (and did) stoke fear among anyone who saw it.

I disagree. This is the best way to get things addressed when his previous attempts failed. Something similar happened in the Dark Souls community. There was a RCE exploit that was possible in all three Dark Souls games, and likely the then-upcoming Elden Ring as well. Reporting multiple times through official channels did nothing. Only blasting loudly on Reddit finally got an acknowledgement, and a fix shortly thereafter.

[Alhanelem]

I disagree. This is the best way to get things addressed when his previous attempts failed.

Except, his previous attempsts didn't fail in any way. Not getting a response != a failed attempt. They don't and shouldn't respond to issues like this until they are fixed.

Like I said above, this thread has been seen by staff as has any interaction with support. If they (or anyone else) is expecting a magic wand to be waved to instantly fix the problem, they're setting themselves up for disappointment.

Only blasting loudly on Reddit finally got an acknowledgement, and a fix shortly thereafter.

Other companies are other companies. SE has addressed other such exploits in the past, and notification was only given after the fact.