Patch 7.2's Account ID protection measures have already been circumvented

[kajv95]

I don't get it...
What exactly was circumvented and what exactly does it means?
A technical explanation would be great.

At the launch of Dawntrail's Early Access, it was discovered that, to facilitate the new Blacklisting features, each service account's unique identifier is being broadcast to everyone within the zone you're in. This unique identifier is used to identify the player on a service account level, meaning every character on that service account shares the same unique identifier.

Some unhinged people created a tool that farms that data to create a database, allowing the users of said tool to track players on a per-user level. This also lets you know which retainer belongs to which player, which de-anonymizes the market board to a great extent and opens the door to harassment.

After the issue was ignored for a long while, originally a statement was made here, basically asking them to kindly stop.
This, of course, did nothing, and there was the outcry that the issue was at a system level. Because it is. So in a Live Letter leading up to 7.2, they announced that they would be implementing measures... for 7.2. Which was still like a month away. People weren't happy with it, but hey, atleast they were doing something, right?

Fast forward to 7.2's release. They delete everyone's blacklist to accomodate for the new system. In reality, all they ended up doing was adding an obfuscation layer to the unique identifier, which was broken within 24 hours. The problem is that this is being handled client side at all, which many users commented on at the time as being the worst possible implementation possible. So the obfuscation layer is fully cracked, the tool updated, and we're basically right back to where we started.

As for what this means; it means there's a database that keeps track of who you are across all your characters and retainers, which can be used very easily for cyberstalking

[GiR_Zippo]

Thank you for the explanation, but after reading some of the posts from NotNite it left me with an other question:

... all they ended up doing was adding an obfuscation layer to the unique identifier, which was broken within 24 hours.

Where did they added the obfuscation layer aka what was obfuscated (memory, networkstream, graphic data) ?

Oh and kind of a confusion:
SE introduced the issue by implementing the Blacklisting?

[Daralii]

Thank you for the explanation, but after reading some of the posts from NotNite it left me with an other question:

Where did they added the obfuscation layer aka what was obfuscated (memory, networkstream, graphic data) ?

The packets of data sent to your client when you blacklist someone, which is what contains the account ID. They used a slapped together homebrew solution instead of something that's actually a reliable staple in the industry, but there's no good reason for this data to be sent to the client at all.

[GiR_Zippo]

The packets of data sent to your client when you blacklist someone, which is what contains the account ID. They used a slapped together homebrew solution instead of something that's actually a reliable staple in the industry, but there's no good reason for this data to be sent to the client at all.

If I got that right, there is no reason to send this data, they only obfuscated the network data and sending this data was introduced by adding the blacklist feature?

[Saraide]

Thank you for the explanation, but after reading some of the posts from NotNite it left me with an other question:

Where did they added the obfuscation layer aka what was obfuscated (memory, networkstream, graphic data) ?

Oh and kind of a confusion:
SE introduced the issue by implementing the Blacklisting?

The player ID was obfuscated in a very basic calculation that was of course cracked within a day. Even then the obfuscation was static so if you were using the stalker plugin by yourself literally nothing had changed.

Before Dawntrail the blacklist just blocked one specific character, the person that character belonged to could just log in to another character on that same account and talk to you again. SE then changed it so that if you blocked one character you would block that person's entire service account from messaging you. Problem is your client needs to know who to block and who you are blocked by. In a competent game this information would only be handled by the server. SE decided to simply send your account ID to everyone's client. Because SE is now broadcasting your account ID it makes it trivial to find out any and all other characters aswell as retainers you have on your account. If you use an alt to be left alone by a stalker, that stalker now knows that's your alt.

[GiR_Zippo]

The player ID was obfuscated in a very basic calculation that was of course cracked within a day.

What was to be expected, sadly.

Even then the obfuscation was static so if you were using the stalker plugin by yourself literally nothing had changed.

I read the posts from NotNite and could it be that the "stalker plugin" it self is now using the library NotNite retweeted?

In a competent game this information would only be handled by the server.

Means SE could easily set the visibility from a blacklisted player server side to 0 and suppress the chat messages.
Basically the same situation we have now (he can see you, you can't), just done server sided?

... If you use an alt to be left alone by a stalker, that stalker now knows that's your alt.

Basically an automated version, few ppl did back in the days by lodestone?

[Daralii]

Basically an automated version, few ppl did back in the days by lodestone?

The main difference is that you can set your Lodestone to private, but this packet sniffing method lets people keep lists of all your characters and retainers, and because your service account ID is immutable, no changes you make to your characters or retainers will obfuscate that it's still you. The plugin was also on Github for a while(I think it got pulled around the time SE's "Please stop" statement came out), so it got forked plenty and people have their own databases apart from the main one.

[Exmo]

Means SE could easily set the visibility from a blacklisted player server side to 0 and suppress the chat messages.
Basically the same situation we have now (he can see you, you can't), just done server sided?

They could do that but it's a much more expensive approach, either in terms of how it slows the game's performance or in terms of reallocating infrastructure resources in all their data centers.

However, that still won't make it impossible for someone to create a database with every user and their alts. So long as the feature intends to hide all of a blocked player's characters, a malicious user can easily leverage that to discover alts.