Patch 7.2's Account ID protection measures have already been circumvented

Yeah, so long as that ID is being distributed to client it's not safe to use.

And even then, the damage is also largely done to existing accounts.

I can't wait for it to be more public knowledge, and for it to get wider coverage again, by content creators and article writers.

Just because it would force their response; where they need to admit to essentially having used elementary obfuscation on the account ID that was defeated in a couple of hours by a spreadsheet (ChatGPT probably could do it too)... Just because they feel so inclined to double down on their absolute trust in the client design, rather than actually explore alternative measures.

Things like this need to go acknowledged.

....
Then again, don't know why I 'can't wait', because they're only going to deliver the same mantra of "It's against our Terms of Service, please stop it..."

Quote:

---

Originally Posted by Kaurhz

Then again, don't know why I 'can't wait', because they're only going to deliver the same mantra of "It's against our Terms of Service, please stop it..."

---

Even the incompetent disasters at SE are predictable now. :rolleyes:

Truly, as people say, being a game developer is one of the hardest jobs in the world you're just starting out. Emphasis on 'starting out'.

Quote:

---

Originally Posted by brinn12

Truly, as people say, being a game developer is one of the hardest jobs in the world you're just starting out. Emphasis on 'starting out'.

---

I think even a developer just starting out would know that a) trusting your client on security measures and b) rolling your own encryption are both horrible ideas. Both of these concepts were both beaten into my skull during school. (I know you don't disagree, just making sure this stays on the front page :-)

I'm working to become a fullstack developer and move into cybersecurity. In any other company, the servers would be taken down day 1 to make sure the issue can be patched, whereas SE allowed this to continue for 8 months to begin with and still failed at their own wannabe cryptography.

Can't wait for SE to blame all of this on legacy code and threaten the developer with a lawsuit again lol

Quote:

---

Originally Posted by WutWut

I think even a developer just starting out would know that a) trusting your client on security measures and b) rolling your own encryption are both horrible ideas. Both of these concepts were both beaten into my skull during school. (I know you don't disagree, just making sure this stays on the front page :-)

---

So my point was that once they’re in the big companies, people will pay for their work no matter the quality. But that doesn’t last forever.

This is proof that SE made a big mistake pulling many senior devs away from this game to make games that flopped. They should keep those devs strictly on this game only moving forward when it's their biggest money maker too.

Quote:

---

Originally Posted by Kazuke_Miso

LMAO LMAO LMAO LMAO LMAO THIS IS WHAT I SAID AND I GOT TRASHED FOR IT AHAHAHAHA PEOPLE HAVE TOO MUCH FAITH IN SE

---

Have to hand it to you there, that was basically the one time I trusted them not to mess up because of the sheer level of stupidity it would be to not do it correctly and it not being hard to do correctly (do it server side, its extra processing that they should be able to afford). It's crazy to think how bad it must be for that to be a problem.
I stand corrected.

Quote:

---

Originally Posted by NaoSen

Have to hand it to you there, that was basically the one time I trusted them not to mess up because of the sheer level of stupidity it would be to not do it correctly and it not being hard to do correctly (do it server side, its extra processing that they should be able to afford). It's crazy to think how bad it must be for that to be a problem.
I stand corrected.

---

At the end of the day, this company is one that constantly pumped out excuses that make absolutely no sense, like how putting the glamour dresser in apartments will cause server crashes.

Either they are flat out incompetent, or they are too lazy to actually fix anything.

Cybersecurity student here (Albeit only in my first semester, so I can't call myself an expert yet). One thing you should NEVER do is try to invent your own "clever" cryptography or obfuscation algorithm for sensitive information. ALWAYS follow established industry standard best practices and use established algorithms that have undergone years of intense scrutiny and battle testing.

Better yet, don't send sensitive information to the client at all. There is no reason for the client to have access to the account ID, even obfuscated. Account blacklisting should have been processed entirely on the server side, and if there is a performance hit to the servers, SE should just accept it and get stronger hardware if necessary.

SE needs to hire a proper cybersecurity expert, preferably full time, or at least as a consultant.

Quote:

---

Originally Posted by Feronar

Account blacklisting should have been processed entirely on the server side,

---

True. But doing the blacklist functionality on the server would propably increase the server load. By doing it on the client they can externalize the costs for it.


Cheers

Quote:

---

Originally Posted by Larirawiel

True. But doing the blacklist functionality on the server would propably increase the server load. By doing it on the client they can externalize the costs for it.


Cheers

---

And we're watching the problems with that in real time. FF14 makes plenty of money, getting more power for their servers should not break the bank.

Quote:

---

Originally Posted by Pokefan5

And we're watching the problems with that in real time. FF14 makes plenty of money, getting more power for their servers should not break the bank.

---

I mean I seriously cannot imagine doing server-side blacklist calculations cost that much extra money. At some point FF14 players have to realize that CBU3 is the epitome of a penny pinching studio. Yoshi P is a glorified accountant. He takes pleasure in cutting costs on his precious spreadsheet.

I think this situation highlights something kinda dire: SE doesn't know what they're doing. Possibly in more than just cybersecurity if this was allowed to happen. Sure, they're successful and the game is working, but this demonstrates a pretty serious knowledge gap in their development team. This makes it seem as though they're either too incompetent to guarantee the privacy and safety of their players, or they do not care enough to put in the resources to fix the issue. There are a lot of players that this can affect in various ways, and while someone might say "so what, I don't care if xyz" it doesn't take away from the fact that stalkers be stalkin out there and SE appears to be incapable of solving the problem.

When you consider the broken engine that they refuse to update, it makes you wonder if that's because they don't fully understand how it works anymore or are unable to make changes to it any longer because they lack the development resources to understand their own systems. It's really unfortunate that this is how we're starting to find out about these incompetencies.

Went down the rabbit hole on the Bluesky thread.

A salted hash would have been the better solution, but it's not as dire as previously thought:

Post from NoteNite: https://bsky.app/profile/notnite.com/post/3ll7cx45las26

Quote:

---

alright, after some investigation (ty
@chirp.bsky.social
):
- Account IDs are now obfuscated in some way we're unsure of, but this obfuscation still lets you correlate players clientside(!)
- we think the network layer has some form of obfuscation on it but we're not quite sure how it works yet

---

Quote:

---

you can still correlate people using the account ID, but you have to observe both characters of the account from *the same viewing character*, since the IDs are different per viewing character. this is far better than how it was before, but there's still a bit of danger which I'm worried about

---

Quote:

---

this means that playerscope is "patched" because you can't upload everyone's IDs into the database, it's going to be different for everyone. if you *were* to upload these, I would assume it may be identifiable to you by SE, since it's unique to your (viewing) character

---

The "fix" is that because the obfuscated names are unique on a per client level, there is no longer a universal database of characters and alts.

It's still hella broken (it should be a salted hash, not just obfuscated, so that you need a session secured token to decrypt the client IDs on the client side) and it won't stop a determined stalker from IDing all your alts, but the shared database is now useless (or as NotNite points out, lets SE know that it was you who tried to do it, so they can get after you for violating ToS.)

Quote:

---

Originally Posted by Catwho

Went down the rabbit hole on the Bluesky thread.

A salted hash would have been the better solution, but it's not as dire as previously thought:

Post from NoteNite: https://bsky.app/profile/notnite.com/post/3ll7cx45las26





The "fix" is that because the obfuscated names are unique on a per client level, there is no longer a universal database of characters and alts.

It's still hella broken (it should be a salted hash, not just obfuscated, so that you need a session secured token to decrypt the client IDs on the client side) and it won't stop a determined stalker from IDing all your alts, but the shared database is now useless (or as NotNite points out, lets SE know that it was you who tried to do it, so they can get after you for violating ToS.)

---

You're reading these events in reverse. At first, it wasn't nearly as bad like you're pointing out - then they found out they can de-obfuscate it. All in a day's work, so we're back to being able to have a database just "fine".

Quote:

---

Originally Posted by kajv95

You're reading these events in reverse. At first, it wasn't nearly as bad like you're pointing out - then they found out they can de-obfuscate it. All in a day's work, so we're back to being able to have a database just "fine".

---

Ah crapola you're right, I now see the 2D and the 1D on the posts.

This is unacceptable.

Yup.

Lets remember that Square Enix which its almost a son of Sony its a very but gentle small indie studio with less than 20 people working on that company, so yeah better deal with all the security failures and instead of complaining we should be buying emotes or mounts for 60 dollars, maybe ask them to increase the price of the sub to 40 monthly since we as GCBTW care about them so much like they are more important than our parents.

Quote:

---

Originally Posted by Larirawiel

But doing the blacklist functionality on the server would propably increase the server load. By doing it on the client they can externalize the costs for it.

---

I am sure that is their justification for it. But it's incompetent.

They could choose to externalize literally anything else to make up for the extra server processing.

For example, they could have the client directly handle inventory with a different server IP/machine entirely. The only time the server would need to know the inventory is when it's relevant, and in those cases, it can communicate with the inventory server, such as when you discard an item that spawns an S rank.

Another example is they could have the client directly communicate with the chat server that is on a separate IP and machine, potentially allowing for cross-DC FC chat and help support the implementation of a cross-DC Duty Finder.

Ideas like this completely offload the processing from the server and its current IP addresses, or minimize it a lot, but instead they'd rather do that with one of the most security-sensitive features.

Kinda of a double edge sword. SE can now just say your using the plug in or database and ban you if your caught harassing someone. So this works for but also against anyone using it.

Quote:

---

Originally Posted by Jeeqbit

I am sure that is their justification for it. But it's incompetent.

They could choose to externalize literally anything else to make up for the extra server processing.

For example, they could have the client directly handle inventory with a different server IP/machine entirely. The only time the server would need to know the inventory is when it's relevant, and in those cases, it can communicate with the inventory server, such as when you discard an item that spawns an S rank.

Another example is they could have the client directly communicate with the chat server that is on a separate IP and machine, potentially allowing for cross-DC FC chat and help support the implementation of a cross-DC Duty Finder.

Ideas like this completely offload the processing from the server and its current IP addresses, or minimize it a lot, but instead they'd rather do that with one of the most security-sensitive features.

---

I think they already do that for inventory, which is why using many items has a cast time (validation check). I heard somewhere that wasn't the case in 1.0 so there was load time whenever you opened your inventory. Offloading excessively recurring features client side is the natural first choice for most cases where possible.

Programmers do not exist

I hope square manages to find a way to Nuke Dalamud

Quote:

---

Originally Posted by BelegErkhten

I hope square manages to find a way to Nuke Dalamud

---

Long as every evil Lala is there to get nuked a well. I support this idea fully :D

Please fix this.

Quote:

---

Originally Posted by BelegErkhten

I hope square manages to find a way to Nuke Dalamud

---

All that's needed is packet sniffing. 3rd party injections aren't needed.

Quote:

---

Originally Posted by BelegErkhten

I hope square manages to find a way to Nuke Dalamud

---

They won't. The moment they do that they'll lose like 30% of the players.

Quote:

---

Originally Posted by Pokefan5

All that's needed is packet sniffing. 3rd party injections aren't needed.

---

People still can't or don't want to understand that packet sniffing wasn't suddenly invented by this plugin.

tbh they probably don't have the slightest idea of how to stop third party anyway. that's probably why the director is only ever pleads for people to not use them.

are people scared of getting their erp and pvp alts exposed or whats the matter of everyones panic?

Quote:

---

Originally Posted by ServerCollaps

are people scared of getting their erp and pvp alts exposed or whats the matter of everyones panic?

---

The problem: Many Final Fantasy XIV players have a habit of stalking other players due to various reasons to the point where you can't play the game without being harassed on a daily basis. It already happened outside the game, and in the future, will end up with someone getting hurt, or even possibly die.

The attempted solution: the blacklist revamp was a response to the article I linked, but SE has no Q&A or IT-team to test their services and code. What ends up happening, is that they have linked a specific unique identifier to your account, sent over by network and stored locally on your device. By seeing what the unique identifier is, you can see that account's characters, retainers, creation time, live-location and so on. This is what a particular plugin can do, and people have been warned since DT's release that this is a ticking time bomb.

SE's piss-poor "new" attempted solution: because SE has shown little care, they only gave empty threats to the plugin's developer with a lawsuit (good luck on that lmao) and promised a solution for 7.2 to patch the hole. They created an in-house wannabe cryptography that was cracked within 24 hours rather than use something that's industry standard for better security.

This was already talked to death, but it shows how weak the code already is at this point, and believe it or not, this will get worse. Eventually.

Stop relying on a system that clearly isn't working as intended.

Human intervention is the only real solution to this; if people are being put into situations of harassment, stalking, being threatened, etc, it's needs to be reported and dealt with properly by an actual human-being.

Quote:

---

Originally Posted by ServerCollaps

are people scared of getting their erp and pvp alts exposed or whats the matter of everyones panic?

---

You do realize that some of the people stalking have had restraining orders issued against them in real life, right? Legit court cases.

Quote:

---

Originally Posted by ServerCollaps

are people scared of getting their erp and pvp alts exposed or whats the matter of everyones panic?

---

Explanation: Final Fantasy XIV has had a stalker problem for a long while. If you haven't heard of this, it's because it doesn't affect a large amount of the playerbase, but it does still happen. Reporting for harassment usually doesn't help unless they say bad words, and the lodestone basically makes stalking through servers and name changes painfully possible. While the blacklist update was meant to help (not just making a blacklisted player vanish, but also their entire service account meaning they can't just hop on an alt and continue), this update had the added benefit for the stalker party that the unique identifier for an account is now broadcast to every player in the zone you're in.

This probably doesn't seem like a big deal until you've had to deal with it yourself. Because just like everything else in this godforsaken game, the blacklist is a one-way street. They can still see you, follow you, and decide to talk shit about you to every single person you might be talking to or meeting. They can continuously attempt to damage any and all social relations you might have in this MMO, a player-driven and social game. And with the third party tools, you're able to create a "stalker network" as it were, tracking people everywhere on a player level. And using the broadcasted unique account identifier, they can do it with any character on that service account you might be playing on, with zero repercussions, because most of the time, reporting this kind of behavior doesn't do anything. It's honestly ridiculous.

If this doesn't seem like a big deal to you, then, yeah - it probably never will be a big deal to you until you've had to deal with something like that. For others though, such as myself, I'm just not playing any alts (not even on main tbf) until this issue is resolved, which it doesn't look like it ever will at this point.

The mechanism of the account ID being sent to the client is just the vector used stalker plugin to expose alts. So long as the blacklist feature works globally against a player and all their alts, a malicious player would be relatively easily able to discover the alts of their target. Even if the blacklisting was managed server-side.

Quote:

---

Originally Posted by Paradi-Cataract

https://bsky.app/profile/notnite.com/post/3lladdcxq5s2h

The solution is to stop sending IDs to the client in any form. There is absolutely no other solution.

---

im glad this threat reappeared after it seamed to go back out of earths orbit for a while



Im not trying to downplay the legitimate concern that people have here, and i know theres no NICE way to say this. but i think somebody has to say this, 99% of players in the game will never be effected by this, and honestly, if somebody wants to use a plugin this badly to stalk you, idk man id find it impressive i managed to get that popular.. just dont reply to them, black ignore and move on. its pointless to be upset about things you have No control over.

perhaps this problem should open SE eyes to the fact we need a 2 way BL system. i want to be able to choose who sees me. instead of sticking my fingers in my ears

Quote:

---

Originally Posted by Rehayem

The problem: Many Final Fantasy XIV players have a habit of stalking other players due to various reasons to the point where you can't play the game without being harassed on a daily basis. It already happened outside the game, and in the future, will end up with someone getting hurt, or even possibly die.

---

literally, just, ignore them. this isnt going to go into IRL, you cannot link in any way a players account to their account information like name address ect. this is complete hysteria.
also this story has nothing to do with plugins, this is just an off-related case of somebody stalking somebody in the same country as them. people need to remember to exercise caution when meeting others online.

i agree players have a stalking problem, but thats because the game doesn't have a 2way BL system, if it did... people would actually take being BL much more seriously

Quote:

---

Originally Posted by sindriiisgaming

99% of players in the game will never be effected by this, and honestly, if somebody wants to use a plugin this badly to stalk you, idk man id find it impressive i managed to get that popular.. just dont reply to them, black ignore and move on. its pointless to be upset about things you have No control over.

---

I mean only <0.1% of people IRL die by getting murdered (at least in first world countries) but we have a whole system that works to prevent murder. You ever wonder why?

Quote:

---

Originally Posted by Kazuke_Miso

I mean only <0.1% of people IRL die by getting murdered (at least in first world countries) but we have a whole system that works to prevent murder. You ever wonder why?

---

Strawman fallacy. im more than happy to hear out a good and solid argument but there is simply no need for that

Quote:

---

Originally Posted by sindriiisgaming

im glad this threat reappeared after it seamed to go back out of earths orbit for a while



Im not trying to downplay the legitimate concern that people have here, and i know theres no NICE way to say this. but i think somebody has to say this, 99% of players in the game will never be effected by this, and honestly, if somebody wants to use a plugin this badly to stalk you, idk man id find it impressive i managed to get that popular.. just dont reply to them, black ignore and move on. its pointless to be upset about things you have No control over.

perhaps this problem should open SE eyes to the fact we need a 2 way BL system. i want to be able to choose who sees me. instead of sticking my fingers in my ears







literally, just, ignore them. this isnt going to go into IRL, you cannot link in any way a players account to their account information like name address ect. this is complete hysteria.
also this story has nothing to do with plugins, this is just an off-related case of somebody stalking somebody in the same country as them. people need to remember to exercise caution when meeting others online.

i agree players have a stalking problem, but thats because the game doesn't have a 2way BL system, if it did... people would actually take being BL much more seriously

---

1. It doesn't really if it affects only 1% of players. Generally you would expect a third-party tool to enhance gameplay or facilitate additional features. What the account ID facilitated opened up Pandora's Box, and if people are just going to feign "Well it only affects a small number of people" -> Then this is precisely what will give way for far worse tools to exist in the future. Besides, it's a matter of principle, why should someone else be collecting and processing data which many would deem to be a private or sensitive nature?

2. I mean this with all due respect, and not at all with offense, but you're the last person that should be preaching the choir about "it's pointless to be upset about things you have no control over" - Seeing as you yourself have made threads being just as upset as people here, and arguably over things of which you have absolutely no control over

3. My guy, it doesn't matter if it seeps into IRL behavior or not, people don't come on video games just to be stalked on said video game, or to have to look over their own shoulder on an alt character, because they had to abandon 1 character because of sheer ineptitude around enforcing the Terms of Service with respect to harassment and stalking. Square Enix does far, far little in this respect. Also, if you unironically think that it is absolutely impossible for this to propagate into IRL, then I really don't know what to tell you, even if you were to exercise caution (Which many do).