Originally posted by Alternity:

The security of most things online are at least as bad if not worst than this, it's not as big deal as people make it to be.

Originally posted by Calandir:

Originally posted by Alternity:

The security of most things online are at least as bad if not worst than this, it's not as big deal as people make it to be.

We're not far away from people having access to your account due to client backdoors. It is bigger than you think and what people think. And it could get game in legal trouble, as it's unprotected. And there are talks about Mog station website having nasty things in backend as well.

Originally posted by Alternity:

Originally posted by Calandir:

We're not far away from people having access to your account due to client backdoors. It is bigger than you think and what people think. And it could get game in legal trouble, as it's unprotected. And there are talks about Mog station website having nasty things in backend as well.

I think you overestimate the general security that exists online.

Originally posted by Calandir:

Originally posted by Alternity:

I think you overestimate the general security that exists online.

In any other company, the servers would be taken down day 1 to make sure the issue can be patched, whereas SE allowed this to continue for 8 months to begin with and still failed at their own wannabe cryptography.

This can lead to some really nasty situation if SE won't react properly, people will abuse the opening and will push it further and further. Especially now after lackluster response.

Originally posted by Alternity:

Originally posted by Calandir:

In any other company, the servers would be taken down day 1 to make sure the issue can be patched, whereas SE allowed this to continue for 8 months to begin with and still failed at their own wannabe cryptography.

This can lead to some really nasty situation if SE won't react properly, people will abuse the opening and will push it further and further. Especially now after lackluster response.

I don't think that is true at all considering the amount of cheap companies that exists.

I have no doubts that some, a relatively low number of companies compared to the total amount, would do that, but nowhere near my mind is the thought that the majority would do this.

Originally posted by Calandir:

Originally posted by Alternity:

I don't think that is true at all considering the amount of cheap companies that exists.

I have no doubts that some, a relatively low number of companies compared to the total amount, would do that, but nowhere near my mind is the thought that the majority would do this.

One thing you should NEVER do is try to invent your own "clever" cryptography or obfuscation algorithm for sensitive information. ALWAYS follow established industry standard best practices and use established algorithms that have undergone years of intense scrutiny and battle testing.

Better yet, don't send sensitive information to the client at all. There is no reason for the client to have access to the account ID, even obfuscated. Account blacklisting should have been processed entirely on the server side, and if there is a performance hit to the servers, SE should just accept it and get stronger hardware if necessary.

SE isn't some cheap company, they have money and I assume basic knowledge of cybersecurity, this stuff isn't some rocket science, you're learning this pretty early in cybersecurity studies.
What this is in my opinion is lack of senior devs at the wheel, DT was given to new batch of developers and writers to potentially learn and improve, and this are the result. Hole in security and mostly negative reviews.

Originally posted by Calandir:

Originally posted by Alternity:

I don't think that is true at all considering the amount of cheap companies that exists.

I have no doubts that some, a relatively low number of companies compared to the total amount, would do that, but nowhere near my mind is the thought that the majority would do this.

One thing you should NEVER do is try to invent your own "clever" cryptography or obfuscation algorithm for sensitive information. ALWAYS follow established industry standard best practices and use established algorithms that have undergone years of intense scrutiny and battle testing.

Better yet, don't send sensitive information to the client at all. There is no reason for the client to have access to the account ID, even obfuscated. Account blacklisting should have been processed entirely on the server side, and if there is a performance hit to the servers, SE should just accept it and get stronger hardware if necessary.

SE isn't some cheap company, they have money and I assume basic knowledge of cybersecurity, this stuff isn't some rocket science, you're learning this pretty early in cybersecurity studies.
What this is in my opinion is lack of senior devs at the wheel, DT was given to new batch of developers and writers to potentially learn and improve, and this are the result. Hole in security and mostly negative reviews.

Originally posted by Calandir:

People found a way to bypass security in 7.2 patch, roughly 24-26h after it was implemented. Stalking plugin still works and if you logged in at 7.2, they have data of your account.

This is honestly just baffling to me. I remember when SE went after and banned people for NSFW pictures on twitter, or streamers who used parsers or markers. And yet where there is group of people making tools to see your whole account, they do nothing and ask community to stop. Those people should be banned, and potentially sued.

Let me just warn people, that if software like this already exists, what will come next? what other skeletons are in SE security closet? Should be expect new hacks to boot code on our PC? Not to mention there are fishy mod links and mods that have malware and harmful code in them.

Why is security of FFXIV and implication of TOS so lackluster?

Originally posted by Lixire:

Originally posted by Calandir:

One thing you should NEVER do is try to invent your own "clever" cryptography or obfuscation algorithm for sensitive information. ALWAYS follow established industry standard best practices and use established algorithms that have undergone years of intense scrutiny and battle testing.

Better yet, don't send sensitive information to the client at all. There is no reason for the client to have access to the account ID, even obfuscated. Account blacklisting should have been processed entirely on the server side, and if there is a performance hit to the servers, SE should just accept it and get stronger hardware if necessary.

SE isn't some cheap company, they have money and I assume basic knowledge of cybersecurity, this stuff isn't some rocket science, you're learning this pretty early in cybersecurity studies.
What this is in my opinion is lack of senior devs at the wheel, DT was given to new batch of developers and writers to potentially learn and improve, and this are the result. Hole in security and mostly negative reviews.

You can use all of the tech and standards and still mess up due to terrible implementation which is what happened in this case
But overall, when you log in to the game. you go through the authentication in a different server which returns you a valid SID (token) in order to log in into the game
So no, no one will actually steal your log in credentials even if they have your account ID of FFXIV and if you feel concern then I strongly suggest (and you should have done it anyway) but enable 2FA on your SE account

I agree, Blacklisting should be done differently and SE should be called out for messing up but I highly doubt that the game has RCEs and etc in there

Originally posted by weiss:

Originally posted by Calandir:

People found a way to bypass security in 7.2 patch, roughly 24-26h after it was implemented. Stalking plugin still works and if you logged in at 7.2, they have data of your account.

This is honestly just baffling to me. I remember when SE went after and banned people for NSFW pictures on twitter, or streamers who used parsers or markers. And yet where there is group of people making tools to see your whole account, they do nothing and ask community to stop. Those people should be banned, and potentially sued.

Let me just warn people, that if software like this already exists, what will come next? what other skeletons are in SE security closet? Should be expect new hacks to boot code on our PC? Not to mention there are fishy mod links and mods that have malware and harmful code in them.

Why is security of FFXIV and implication of TOS so lackluster?

very old news o.o

Originally posted by Calandir:

Originally posted by Lixire:

You can use all of the tech and standards and still mess up due to terrible implementation which is what happened in this case
But overall, when you log in to the game. you go through the authentication in a different server which returns you a valid SID (token) in order to log in into the game
So no, no one will actually steal your log in credentials even if they have your account ID of FFXIV and if you feel concern then I strongly suggest (and you should have done it anyway) but enable 2FA on your SE account

I agree, Blacklisting should be done differently and SE should be called out for messing up but I highly doubt that the game has RCEs and etc in there

I do use 2FA. The premis of my post is mainly that there are gaps in security of client and mog station website that can be exploited. And there is group of very dedicated people, who want to crack it and spend absurd amount of time finding a way. We're talking beyond stalker plugin at this point. This is why it's such a big issue, is because people are working around a clock to find way in, and to my knowledge they started to make even more sophisticated hacking tools.