Security Tokens/Authenticators are useless; SE needs to fix this immediately.

[Eldarion18]

This is a really good find. Wow. This needs to be addressed.

[Ninix]

As stupid as this whole system is (seriously, what good is a session ID if the "session" lasts indefinitely??) you probably should not have posted this publicly on the SE forums. I know you mean well but SE has banned for less.

[Histoire]

And now I don't feel safe anymore. Token or not, that's insane.

[Moontide]

Holy poo pie, is this in bug reports already? This is frightening if it's true.

[Amyas]

So... all you have to do is get a (very specific) virus?

Unless SE's official sites get infected, I'm not seeing the issue here.

[TheRac25]

ahh so the mystery of the hijacked accounts spamming has been solved
making the sessions bound to an ip and expire after one use would probly stop 95% of the rmt spam

[TheRac25]

As stupid as this whole system is (seriously, what good is a session ID if the "session" lasts indefinitely??) you probably should not have posted this publicly on the SE forums. I know you mean well but SE has banned for less.

the only people that would benefit by this not being posted are the ones exploiting it to spam rmt adverts
since SE is too stupid to figure it out after over a month of it being exploited id say its past due

[hobostew]

I really hope they don't sweep this under the rug. Seems like one SERIOUS oversight! <_<

Might want to change the title though as you may end up discouraging some from using an authenticator which would probably cause more harm than good.

Was anyone else surprised at the OPs post? I half expected a crazy tinfoil conspiracy thread about how a "friend" got hacked and they totally used an authenticator.

[Rane]

Thank you, Taal, for the detailed (yet clear) explanation of what appears to be a major security issue with FFXIV. This is a really disappointing design oversight, and one that Square-Enix needs to fix as soon as possible.

ahh so the mystery of the hijacked accounts spamming has been solved
making the sessions bound to an ip and expire after one use would probly stop 95% of the rmt spam

I thought the same thing when I read the OP. This does seem to explain the hijacked account spamming, though there could be other security flaws being exploited as well.

[GabrielK]

If this is true, it's a stupid mistake on the security team's part. A ridiculous flaw.
The minimum they should do is bind the session on IP and invalidate it if a different IP tries to access the service with it.

Also, I believe their sessions last 1 month... just checked this site's session id... heh.