Patch 7.2's Account ID protection measures have already been circumvented

[Feronar]

Cybersecurity student here (Albeit only in my first semester, so I can't call myself an expert yet). One thing you should NEVER do is try to invent your own "clever" cryptography or obfuscation algorithm for sensitive information. ALWAYS follow established industry standard best practices and use established algorithms that have undergone years of intense scrutiny and battle testing.

Better yet, don't send sensitive information to the client at all. There is no reason for the client to have access to the account ID, even obfuscated. Account blacklisting should have been processed entirely on the server side, and if there is a performance hit to the servers, SE should just accept it and get stronger hardware if necessary.

SE needs to hire a proper cybersecurity expert, preferably full time, or at least as a consultant.

[Larirawiel]

Account blacklisting should have been processed entirely on the server side,

True. But doing the blacklist functionality on the server would propably increase the server load. By doing it on the client they can externalize the costs for it.


Cheers

[Pokefan5]

True. But doing the blacklist functionality on the server would propably increase the server load. By doing it on the client they can externalize the costs for it.


Cheers

And we're watching the problems with that in real time. FF14 makes plenty of money, getting more power for their servers should not break the bank.

[Kazuke_Miso]

And we're watching the problems with that in real time. FF14 makes plenty of money, getting more power for their servers should not break the bank.

I mean I seriously cannot imagine doing server-side blacklist calculations cost that much extra money. At some point FF14 players have to realize that CBU3 is the epitome of a penny pinching studio. Yoshi P is a glorified accountant. He takes pleasure in cutting costs on his precious spreadsheet.

[All_Nonsense]

I think this situation highlights something kinda dire: SE doesn't know what they're doing. Possibly in more than just cybersecurity if this was allowed to happen. Sure, they're successful and the game is working, but this demonstrates a pretty serious knowledge gap in their development team. This makes it seem as though they're either too incompetent to guarantee the privacy and safety of their players, or they do not care enough to put in the resources to fix the issue. There are a lot of players that this can affect in various ways, and while someone might say "so what, I don't care if xyz" it doesn't take away from the fact that stalkers be stalkin out there and SE appears to be incapable of solving the problem.

When you consider the broken engine that they refuse to update, it makes you wonder if that's because they don't fully understand how it works anymore or are unable to make changes to it any longer because they lack the development resources to understand their own systems. It's really unfortunate that this is how we're starting to find out about these incompetencies.

[Catwho]

Went down the rabbit hole on the Bluesky thread.

A salted hash would have been the better solution, but it's not as dire as previously thought:

Post from NoteNite: https://bsky.app/profile/notnite.com/post/3ll7cx45las26

alright, after some investigation (ty
@chirp.bsky.social
):
- Account IDs are now obfuscated in some way we're unsure of, but this obfuscation still lets you correlate players clientside(!)
- we think the network layer has some form of obfuscation on it but we're not quite sure how it works yet

you can still correlate people using the account ID, but you have to observe both characters of the account from *the same viewing character*, since the IDs are different per viewing character. this is far better than how it was before, but there's still a bit of danger which I'm worried about

this means that playerscope is "patched" because you can't upload everyone's IDs into the database, it's going to be different for everyone. if you *were* to upload these, I would assume it may be identifiable to you by SE, since it's unique to your (viewing) character

The "fix" is that because the obfuscated names are unique on a per client level, there is no longer a universal database of characters and alts.

It's still hella broken (it should be a salted hash, not just obfuscated, so that you need a session secured token to decrypt the client IDs on the client side) and it won't stop a determined stalker from IDing all your alts, but the shared database is now useless (or as NotNite points out, lets SE know that it was you who tried to do it, so they can get after you for violating ToS.)

[kajv95]

Went down the rabbit hole on the Bluesky thread.

A salted hash would have been the better solution, but it's not as dire as previously thought:

Post from NoteNite: https://bsky.app/profile/notnite.com/post/3ll7cx45las26





The "fix" is that because the obfuscated names are unique on a per client level, there is no longer a universal database of characters and alts.

It's still hella broken (it should be a salted hash, not just obfuscated, so that you need a session secured token to decrypt the client IDs on the client side) and it won't stop a determined stalker from IDing all your alts, but the shared database is now useless (or as NotNite points out, lets SE know that it was you who tried to do it, so they can get after you for violating ToS.)

You're reading these events in reverse. At first, it wasn't nearly as bad like you're pointing out - then they found out they can de-obfuscate it. All in a day's work, so we're back to being able to have a database just "fine".

[Catwho]

You're reading these events in reverse. At first, it wasn't nearly as bad like you're pointing out - then they found out they can de-obfuscate it. All in a day's work, so we're back to being able to have a database just "fine".

Ah crapola you're right, I now see the 2D and the 1D on the posts.

This is unacceptable.

[AnnRam]

Yup.

Lets remember that Square Enix which its almost a son of Sony its a very but gentle small indie studio with less than 20 people working on that company, so yeah better deal with all the security failures and instead of complaining we should be buying emotes or mounts for 60 dollars, maybe ask them to increase the price of the sub to 40 monthly since we as GCBTW care about them so much like they are more important than our parents.

[Jeeqbit]

But doing the blacklist functionality on the server would propably increase the server load. By doing it on the client they can externalize the costs for it.

I am sure that is their justification for it. But it's incompetent.

They could choose to externalize literally anything else to make up for the extra server processing.

For example, they could have the client directly handle inventory with a different server IP/machine entirely. The only time the server would need to know the inventory is when it's relevant, and in those cases, it can communicate with the inventory server, such as when you discard an item that spawns an S rank.

Another example is they could have the client directly communicate with the chat server that is on a separate IP and machine, potentially allowing for cross-DC FC chat and help support the implementation of a cross-DC Duty Finder.

Ideas like this completely offload the processing from the server and its current IP addresses, or minimize it a lot, but instead they'd rather do that with one of the most security-sensitive features.