Quote Originally Posted by Archmortal View Post
Having the plug-in taken down won't accomplish much. The creator is already planning to distribute it among his friends and in less visible spaces. Pursuing legal action will only stop the creator, it won't stop the people that have already copied the plug-in with plans to make their own. I encourage seeking legal action but it will not prevent another copy-cat plug-in from doing the exact same thing.

What MUST be done is protecting the account ID that no one asked for. You could simply NOT send it client-side. If it absolutely MUST be sent client-side for the blacklist to use its current features then you must AT MINIMUM protect it with randomized hashing if you can't be bothered to encrypt it. You cannot let such sensitive data be sent to the client with no protection in a game that you KNOW has such heavy plug-in usage. Basic data security is just completely absent from its current implementation. THAT'S the problem, Yoshida.
This the issue, the client does not need the accountID to do anything as it isn't interacting with the other player's account, it's only the character that it sees it needs to check. The accountID should be a server side check with anything requiring the use of account id being managed through a characterid challenge from the client.

A basic pattern of security is least privledge, the client should never have read privledge on account ids of other people.