Re: Regarding the Use of Third-Party Programs and Player Safety

[SillyCrow]

We have confirmed that there exist third-party tools that are being used to check FFXIV character information that is not displayed during normal game play. The tool is being used to display a segment of an FFXIV character's internal account ID, which is then used in an attempt to further correlate information on other characters on the same FFXIV service account.

So the game shares an internal account ID with the client. If this is not supposed to be seen, that seems like the root problem to me.

• Is this issue going to be fixed?
  
• When can we expect this to be fixed?
  

[BigCheez]

Yes, that's the problem.

No, it won't be fixed. You can expect it to be fixed never.

It isn't displaying "a segment of an FFXIV character's internal account ID", they send the whole ass account id to the client, raw and unencrypted and it isn't "used in an attempt to further correlate information on other characters on the same FFXIV service account", they just use the whole account id that they're being given to look up other characters with the same account id.

This is the devs refusing to acknowledge that this is even their own fault.

Absolute best case scenario, the plugin will just be made private again. But I'm pretty sure the people who would still have access to it are on my data centre, so that's cool.

[YumieYumiki]

Absolute best case scenario, the plugin will just be made private again.

Never gonna happen. It used to be on github, meaning people have copies and will continue spreading it, even if SE manages to get a legal injunction against someone or another. The only reason for SE not to fix it on a technical level (handle the blacklisting server side instead of client side) is that it would make the servers slightly more expensive to run. That's literally the only reason. They prefer to compromise their customers security than losing a bit of revenue. That's not a good look.

[BigCheez]

Never gonna happen. It used to be on github, meaning people have copies and will continue spreading it, even if SE manages to get a legal injunction against someone or another. The only reason for SE not to fix it on a technical level (handle the blacklisting server side instead of client side) is that it would make the servers slightly more expensive to run. That's literally the only reason. They prefer to compromise their customers security than losing a bit of revenue. That's not a good look.

It's still open source. The GitHub repo was removed but they just moved the project to a shady Russian version control platform instead. Yes, people will still have access to the code but they need to be whitelisted to access the database.

The problem is that you don't actually need the plugin to access any of this information. You could grab the account id via anything that can read values from memory or network traffic. If they don't want people to be able to access this information, they need to stop sending it to people.

[Collin_Sky]

Like Cheez said, the cat is out of the bag and it's going no where. SE seems completely incapable of taking responsibility for implementing this feature in the absolute dumbest way possible.
SE are well aware how often people are reading game data because they're literally taking plogons and adding them into QoL features, so they know they exist, they know people are doing it, and didn't take any steps to protect such important information as account ID.

[ovIm]

It isn't displaying "a segment of an FFXIV character's internal account ID", they send the whole ass account id to the client, raw and unencrypted and it isn't "used in an attempt to further correlate information on other characters on the same FFXIV service account", they just use the whole account id that they're being given to look up other characters with the same account id.

This is the devs refusing to acknowledge that this is even their own fault.

The devs don't even acknowledge the entire scope of the problem, let alone what an actual fix could be. Guess we can expect that behavior to be par for the course in the forseeable future.
And as you said, no modified game client is needed to access the information.
But I guess actually fixing the issue in a proper way and having the blacklist get handled server side is "too expensive" or something like that.

[VerdeLuck]

Just add an anticheat in 8.0 we need it at this rate.

[Archmortal]

Having the plug-in taken down won't accomplish much. The creator is already planning to distribute it among his friends and in less visible spaces. Pursuing legal action will only stop the creator, it won't stop the people that have already copied the plug-in with plans to make their own. I encourage seeking legal action but it will not prevent another copy-cat plug-in from doing the exact same thing.

What MUST be done is protecting the account ID that no one asked for. You could simply NOT send it client-side. If it absolutely MUST be sent client-side for the blacklist to use its current features then you must AT MINIMUM protect it with randomized hashing if you can't be bothered to encrypt it. You cannot let such sensitive data be sent to the client with no protection in a game that you KNOW has such heavy plug-in usage. Basic data security is just completely absent from its current implementation. THAT'S the problem, Yoshida.

[ovIm]

Just add an anticheat in 8.0 we need it at this rate.

Please no. Anticheat will only harm the regular users and can do nothing to resolve this issue, its literal snake oil.

[Collin_Sky]

Just add an anticheat in 8.0 we need it at this rate.

Anticheat in this game would cause half the playerbase to quit.
There are so many people who play this game as second life simulator for Yoshi to do something like that. Man will do anything for subs.