Retail Security Concern

Hello everyone,

I am making an announcement in regard to a major security vulnerability I have recently discovered on retail that can affect literally every single player. At this time, I will not be disclosing the vulnerability publicly, but do wish to help ensure the community is safe the best I can with what I can share at the moment. Due to ongoing issues with getting into contact with `Square Enix`, I feel it's best to still inform the community of measures you can take to help keep your account(s) safe.

If you have ever shared your account with anyone, regardless if they are a friend or family, or if you have purchased an account from another, then I highly encourage you to specifically change your `PlayOnline Password`. Regardless if you have recently changed your `Square Enix` account password, this is critical. Also, even if you have a One-Time Password / security token connected to your account, your account is not safe from this vulnerability.

You can log into the `Square Enix` account management portal to change your password by visiting the `PlayOnline` website and clicking the `Square Enix Account Management System` button at the top. From there you can log into the SE account system and navigate to the proper page to specifically change your accounts `PlayOnline` password. I encourage you to do this for all accounts you have/use.

If you are an employee with Square Enix, part of the Final Fantasy XI development team, or know someone that is; please get in touch with me via direct messages. I am working to get in contact with the proper team to report these issues in full and get them addressed as soon as possible. While I have reported the issues to SE already, the means in which that they offer so far are less than stellar in ensuring they reach the proper people.

You can also contact me via email: atom0s@live.com

"If you have ever shared your account with anyone, regardless if they are a friend or family, or if you have purchased an account from another"

Does this mean those of us that have never shared their password or purchased an account are fine to go on about our day?

Or should we change our passwords also?

Thanks very much for posting this.

At this time, yes. If you have never shared your information you should be safe.
(Not accounting for any kind of potential third-party tooling that is designed to steal accounts and so on, but that kind of thing is pretty rare anymore.)

Well….

We are in 2023, if people dont have the bare minimum awareness to changing password after a leakage of credentials, be it unexpected or planned (sharing/selling account), then i think a game should be the lowest of your concerns.

Nowaday there is a huge amount of possible attacks going on. They dont need to actually know your specific game password. They just need to track all of your history to pinpoint where you are inserting information.

The very same person who share credential is a potential candidate to repeat password in many system, to use weak passwords, to navigate in insecure browser, to connect in insecure networks. You simply making yourself a vulnerable target to any attacker.

Just take an example the official SE site. My browser says its an insecure connection. I didnt inspect if they arent using a trusted certificate, but under this premise, if browser decides the site is insecure, youre basically talking with server in clear text. Hackers just need to sniff your connection to see whats going on. You just need to connect in a restaurant wifi for the owner to discover everything youre sharing in an insecure connection.

Idk whats the vulnerability is, but telling to be more aware of your game credentials security shouldnt be more that common sense this day and age.

Just take this episode to re-*** your own PERSONAL safety when browsing on internet

Just to clarify, let’s say I’ve logged into my character on two separate computers, but I haven’t shared my account information with anyone else. Would my account be at risk?

Thanks for raising this vulnerability. Hopefully it gets addressed quickly.

Technically, no. There are other vulnerabilities within the PlayOnline / Square Enix services and websites that can allow bad actors to do things to accounts other than their own. However, the likelyhood of something happening that would combine this issue I am reporting on and those other issues is extremely low.


There's nothing wrong with being cautious, especially when personal data and such are at risk. I intentionally did not include any links in my warning post to avoid any issues with people assuming I was trying to personally do any kind of damage.

Due to the lack of ability to get SE to listen and take things serious, my hand was forced to basically post this warning publicly to get them to actually listen. Sadly, all means of communication they make available are to low-level support techs that are told to follow a basic outline/script which resulted in [nearly] all of them telling me to go post the vulnerability, publicly, on the official forums. This is absolutely not how something like this (or any vuln. for that matter) should be handled.

After making this post on several platforms, I was able to get in touch with two players of the community that have higher reach with SE and friends within their development teams/special task force to get this taken serious. It's not the way I wanted to go about getting it handled, but SE basically left me no choice.


I don't really agree with this kind of take personally.

Not everyone is going to be experienced with computers, technology and other similar things in the world. They base their trust on information they are told regardless if that information is being honest with them or not. A great example of this is one you used yourself, SSL certificates.

Modern browsers have made the push to try and enforce all websites make use of HTTPS and a valid SSL cert to include the extra layer of protection. However, this does not mean that all websites using HTTPS and a valid SSL cert are automatically safe. But, because browsers have basically fear-driven people into that kind of belief with their popups anytime you visit a site not using an SSL cert saying its insecure, people that are not tech savvy come to that kind of conclusion that SSL automatically = safe.

Bias' like this exist in all kinds of tech related things, including one that is involved with this vulnerability I have reported.


The likelyhood of something happening in a situation like that is extremely low. However, just your PlayOnline ID alone is enough information for a bad actor that knows this and another vulnerability to attempt to get into your account. There are various other vulnerabilities that exist both within PlayOnline's servers/services as well as the Square Enix account system that can be used together to perform various kinds of attacks.

However, the actual likelyhood of things happening in any wide scale at the moment are pretty low. The amount of effort some things take is far more than most people will know how to do in regards to reverse engineering and such.

Shame full-disclosure got shut down, you could have just posted it there for us all to enjoy "pressure SE to fix".

This sounds like lingering creds being able to still be valid and if, hooo boy

So what happens if me and a friend literally share accounts on the reg? Keep changing them every time one of us log in?

Curious if anything similar impacts any of the XIV account architecture, and if it would spurn quicker/intense attention.

Dm them to me I’ll handle it from here

If you have given someone your playonline password for the purpose of playing with your account - then I can see no issue here - this was on purpose.

It seems to me the vulnerability must be something like a weakly protected REST server at SE that only requires playonline ID and playonline password, and it will return credit card information or some real life identity information that should not be disclosed.

I'm not friends with Asurans, sorry

I suppose.

Unless they made some update on their software recently, if we are talking about technology from 2002's, then its surely a swiss cheese in terms of security.

Sorry, but that is not how I handle things like this and would not have ever done that. The proper people are working on this now, and hopefully it'll be fixed asap.

In the event SE does fix the issue and gives me the OK, I'll post a full disclosure on what the issue was and other bits that could be abused along side it.



It's not. The way things are handled/coded are designed to prevent this kind of attack.



Currently, most people should be fine/safe unless you are dealing with sketchy friends or have shared info previously with someone that is not trustful. At most, I'd suggest changing at least once so that your information is newer than any password that was shared with anyone previously and then only share the new one with your friend if you absolutely trust them to not leak it to others.

This isn't an issue where everyone's going to have their accounts hacked tomorrow or something. So there's no need to change your password that often.



I'm not sure on that.

I have not dug into FFXIV at all in regards to reverse engineering or similar so I am not familiar with how the login systems are implemented for it.

Its been this way since Square-Enix accounts have been a thing back in.. 2010? 2011? nothing really new here.

Isn't this more of a social engineering vulnerability and relatively lax verification methodology on SE support's end? Part of the account recovery process asking for previously known POL passwords - or if the user doesn't know, their best guess? Had to go through this back in 2016 when I forgot all my ***and the only after I provided an old universal password of mine were they able to help. This all makes sense if someone can falsify recovery by providing enough info, which anyone who had access to an account would have. Support doesn't care about the circumstances of the access as long as some basic criteria can be met that proves the person once had access.

I know, I was mostly kidding. Sometimes I miss the earlier eras when FD was more common and the associated drama around it, but it's definitely not the right approach these days in most cases.


They were really inconsistent when I dealt with them years ago. I remember at one point calling to recover an account, they emailed me an affidavit to sign verifying the account was mine, requesting nothing other than my email address to mail it to. I hung up, called the next day and they reset my PlayOnline password with just the POL ID. Other times, they'd ask for birthdate, address, and/or the CD key (good luck finding that). This was all prior to SE accounts, which ultimately made it a lot easier to manage and retain your creds.

It struck me that there was no consistent process for verifying user accounts or the process wasn't followed. I doubt that's the issue here, though.

The fact that any tech support staff would suggest someone post the details of a vulnerability on a public forms makes me cringe. It's 2023.... come on now. Even a leyman knows better than that. I don't care what the script they're reading from says, any IT support staff that suggests this doesn't deserve to work at the job.

You'd be surprised...

They probably didn't understand the situation, they aren't developers or engineers, even if they were it's a remote concept for them at times that anyone would misuse this sort of information. When they hear someone calling to report a bug, they have no context for what that means, security vulnerabilities or otherwise, and defer to the script of reporting it on the forum. This isn't exactly a normal situation for them and I doubt SE has response or disclosure policies in place for when people identify bugs of this nature, because it's not something they regularly have to deal with.

This would probably be more in the realm of the STF to respond to via their submission form, but they have a policy of not responding and there is no way of knowing if they are going to act on it or even read the report. I'd never expect a tech support line to know anything about how to report vulnerabilities, it's just not something they are going to be involved in.

Historically, companies not exposed to this sort of situation have been difficult to get ahold of, but under pressure and exposure have come up with the disclosure and response policies you see most companies have today. For companies or groups that haven't been exposed to that, there's a lot of naivete to the process until they learn and they can be difficult to reach or deal with.

The staff you talk to wouldn't even know it's a god damn game if you didn't tell them it's a game.

They don't know ***about ***they just answer phones. (and try to get you to just hang up to avoid actually doing anything) Cheapest labor to the lowest bidder and knowledge isn't a prereq.

Is the new NA customer support service maintenance announcement in response to this?
http://www.playonline.com/ff11us/polnews/news27027.shtml

edit: nvm, maybe it's about Crysta payment...
http://www.playonline.com/ff11/polnews/news27025.shtml

It's not too surprising to be honest. Most of the people that are working those emails, live chats and other means of support contact are general people not that tech savvy. In most cases, they are just reading from a set of guidelines or from a training manual they have on hand, or are told as a 'last resort' when they don't have something covered in their docs to just direct people to the official forum.

It would be nice to see Square Enix train better and open a more direct means of communication when it comes to things like this. Most companies these days offer contact through a Bug Bounty program, such as HackerOne. Even if they don't offer rewards for discoveries, it still gives people a means to contact/communicate without this kind of hassle.

One thing I will say that was kind of a surprise was their email support is 24/7 and they do respond quite fast, just in a case like this it was pretty much useless lol.

You could try contacting the SE data protection officer if you haven't already.

https://www.square-enix-games.com/en_GB/documents/privacy#s12