Final Fantasy 14 has a major problem in its code. Back in January, it was discovered that Square Enix’s efforts to improve their blacklist system just made it terrible in an entirely different way.
Essentially, the new system beamed account IDs straight to other clients, rather than player IDs. These IDs, easily scrapable by basic software, allowed bad actors and stalkers to gain a full list of their target’s alts, allowing for easier harassment. While mods like the controversial PlayerScope helped collect and present this information, they were just the tip of an iceberg that had been slowly growing since the expansion’s release.
Square Enix promised to tackle the problem, and things seemed to be looking up before Patch 7.2—with an overhaul to the system hopefully signalling the end of the nightmare. Less than a day later, it was discovered by coder NotNite that “the obfuscation is vulnerable, and that the account IDs are actually reversible.”
NotNite isn’t just some random person, by the way—she took GShade, an incredibly popular addon, to task back in 2023. GShade was a popular mod that allowed players to apply custom shaders and filters to the game, for screenshots or just for plain beautification—it also wasn’t open source. NotNite provided an alternate GShade in a tit-for-tat that eventually saw its original creator kinda lose it and put malware in the thing, cementing their exile from the modding community.
She’s a little sheepish about the whole affair in a recent blog she made on the PlayerScope situation, given it caused quite a bit of drama in the community at the time, “stirring up enough discourse to make it to PCGamer”. Oops.
All this to say, I’m willing to believe her expertise when she says “account IDs can be reverted back into their non-obfuscated form and then used like normal. This functionally means nothing to plugins like PlayerScope, except they need to work slightly harder and discover the algorithm on their own”.
It should be noted that NotNite hasn’t shared any details of how she cracked the algorithm, because revealing that would only give bad actors the key to the proverbial city—though if she can do it, it’s assumed others will be able to follow, and it’s only a matter of time.
This is both a huge safety concern and a major embarrassment for Square Enix—and it’s left me baffled. So much so, in fact, I reached out to NotNite about it, and she’s just as confused as I am.
‘SE probably wants to hire someone’
“I can’t really say what they were thinking,” NotNite writes to me via email, “But I don’t think SE (at least the FFXIV team) has a lot of employees who specialize in these forms of security. I think they are primarily game developers first and cybersecurity experts second—that’s not a fault of the employees, just that SE probably wants to hire someone who has a lot of experience with this.”
(Image credit: Square Enix)
Final Fantasy 14 is a bit of an old machine—being over 10 years old, and cobbled together in record time after the failures of 1.0, I’d wondered if it might be the case that Square Enix was wrestling with its own internal architecture. Based on what she’s seen, though, NotNite’s not so sure:
“Some parts of the blacklist/mute system are handled on the client, and that’s why they’re sent to the client in the first place. Moving it to the server would require them to restructure how the system works, which they may be wanting to avoid since it’s significantly more effort than trying to obfuscate the account IDs.”
As for that obfuscation, she’s not really sure it’s the right tree to bark up. “You could theoretically obfuscate the account IDs in a way that isn’t reversible, but I don’t think it would ‘work’. The current architecture of these malicious plugins,” she explains, referring to mods like PlayerScope, “Is to upload every account ID to a central database, and when new uploads come in, compare them to existing account IDs and create a match.”
So, is the solution to obfuscate everything on a per-player basis? It’d make things a little harder, NotNite says, but still straightforward. “If the account IDs were obfuscated per player,
you can’t compare the account IDs you get with other people’s recorded account IDs, but you can compare them with your own. You would just have to do that step of recording everything locally, and then upload the match itself to the central database.”
Ultimately, she says, “The real solution is to stop sending this data to the client, because the best security model is the one where sensitive information is transferred as little as possible.” Which seems self-evident, but not a lesson Square Enix has apparently learned just yet.
The real solution is to stop sending this data to the client, because the best security model is the one where sensitive information is transferred as little as possible.”
NotNite
She’s got a few theories as to how this disaster might’ve been made manifest, though: “I imagine they were just rushing through to get everything ready for 7.2, applied the first thing they could think of to ‘fix’ the account IDs, and didn’t really revisit it or think about how a malicious actor could exploit it.
“They might not have realized it was reversible at all,” she adds, “and they probably want to avoid rewriting the system entirely, because it would take up a lot of development time that they want to allocate to making the game instead.” Still, NotNite maintains “they should invest the time in to fix it properly, designing your systems securely is a time consuming but very worthy process with games and applications on the internet.”
Mods in Final Fantasy 14 are in a somewhat weird spot—using them is against the terms of service, but Square Enix doesn’t make proactive moves to ban you unless you’re reported for using one, or obviously and blatantly cheating. The official line is don’t use them, however, in practice, it’s don’t use them and be an idiot about it.
NotNite, however, is keen to emphasise that “this is mainly Square Enix’s fault for designing the system this way, and not from a specific modding community like the Dalamud plugin framework.” For context, Dalamud is a popular launcher that helps players collect, download, and run plugins—but despite being a central hub, it doesn’t have power to stop mods like PlayerScope at all.
“I’ve received messages from people who are asking ‘why can’t Dalamud just ban PlayerScope?’. The bug still exists in the game, so a lot of other third party tools (including tools that capture network traffic) could be configured to read account IDs (not that they will, but it’s just technically possible).”
It’s ultimately just a complete mess. The onus is firmly on Square Enix’s to design a game that doesn’t have glaring, obvious security issues like this. It brings me no great pleasure to chew out one of my favourite MMOs, especially since I’ve rather been enjoying Patch 7.2, all told, but this is an incredibly poor showing from the company especially considering its lack of protections for stalking survivors in the past.
That it’s taken over 10 whole years for FF14 to have a blacklist that properly protects people, only for that change to make them vulnerable in different ways—and for their attempt to fix it to be half-baked? It’s downright unacceptable. Here’s hoping it all gets addressed, and soon.
Best MMOs: Most massive
Best strategy games: Number crunching
Best open world games: Unlimited exploration
Best survival games: Live craft love
Best horror games: Fight or flight
