The security measures introduced in Final Fantasy 14’s latest Patch 7.2 have already been outsmarted by a programmer. In just a matter of hours, NotNite and their team managed to bypass the protections developed by Square Enix. Previously, there were concerns regarding the PlayerScope mod, which has been known for accessing sensitive personal data of players.
The primary objective of Patch 7.2 was to address this exact issue. It aimed to correct security vulnerabilities that enabled mods like PlayerScope to track characters without permission. However, a programmer has now revealed that these efforts were in vain. According to the programmer’s report, both they and other players delved into the changes made in Patch 7.2, sharing findings that raised serious concerns about the patch’s effectiveness.
This patch, titled ‘Seekers of Eternity’, was rolled out on March 25, following a 24-hour maintenance shut down. Besides attempting to patch the security flaw, the update also introduced the Cruiserweight tier for the Arcadion raid series, expanded on Dawntrail’s main narrative, and made various adjustments to character Jobs. For example, the Black Mage enjoyed reduced casting time and increased damage output, whereas the Pictomancer’s burst potential was curtailed after receiving significant player feedback. On the security front, this update attempted to apply encryption to safeguard player account IDs against potential threats.
Despite these efforts, Square Enix’s security upgrade quickly faltered. During an exclusive interview with PC Gamer, the player NotNite explained how they and their associates circumvented these latest security improvements. Patch 7.2 employed a form of network obfuscation as a protective measure, but an algorithm was soon crafted to dismantle this approach. According to NotNite, she effectively reverse-engineered the process with the help of consenting friends, achieving noteworthy success after only a few hours. This experience was shared on the social network Bluesky.
The persistent issue with Square Enix’s security isn’t new. NotNite didn’t release specifics about the algorithm used to compromise the obfuscation, yet she hinted that mod developers who utilize account ID accessibility, such as PlayerScope, might soon adapt their mods to take advantage of these insights. Previously, PlayerScope gained notoriety for its ability to track all characters linked to a player’s account by tapping into client-side data, potentially exposing users to stalking or harassment by ill-intentioned users.
NotNite speculated that the decisions around these security shortcomings may stem from constraints in development time and resources. Back in January, Square Enix acknowledged the existence of mods like PlayerScope and reaffirmed their stand against any unauthorized third-party tools in the game. The patch notes for version 7.2 also highlighted that certain player names might become unpresentable due to the account ID amendments, although players could recreate these names if necessary.
Following her examination, NotNite criticized Square Enix’s actions, advocating that they cease sending sensitive data to client systems altogether. Alongside the ongoing wave of DDoS attacks targeting the game’s servers, it remains to be seen how Square Enix will tackle these lingering security challenges moving forward.
