Overview of Recent Developments in Final Fantasy 14
- The recently introduced Patch 7.2 for Final Fantasy 14 was aimed at addressing security vulnerabilities but has already been compromised.
- Programmer NotNite and her associates successfully circumvented Square Enix’s measures within mere hours.
- There are ongoing concerns regarding the PlayerScope mod, which has the potential to access private user information.
Patch 7.2, titled Seekers of Eternity, launched on March 25 after a brief maintenance window, aiming to resolve key security issues that enabled mods like PlayerScope to track player characters without permission. However, a programmer revealed that Square Enix’s security enhancements have already been effectively bypassed, prompting serious concerns within the community.
Patch 7.2 Security Failures Prompt Concerns
The 7.2 update introduced major content, including the Cruiserweight tier in the Arcadion raid series and the next chapter of the Dawntrail storyline. Alongside these additions, significant job adjustments were made; notably, the Black Mage received enhancements to casting speed and damage output, while the Pictomancer saw a reduction in burst damage following community feedback. Additionally, this patch aimed to obscure player account IDs with encryption to protect against unauthorized access.
IMPORTANT UPDATE: after a *lot* of testing and a group chat full of my smartest FFXIV friends, we have figured out the obfuscation is vulnerable, and that the account IDs are actually reversible. SE needs to stop sending the account ID entirely to clients and just set a hidden flag or something
— NotNite (@notnite.com) 2025-03-25T22:34:23.484Z
According to NotNite, although Square Enix implemented measures to obfuscate account information, a specific algorithm was developed that reversed this security effort. Testing confirmed that this obfuscation can be broken, and Mod developers are likely to adapt their tools, including PlayerScope, to exploit these vulnerabilities. PlayerScope, in particular, has faced scrutiny due to its ability to track all characters associated with an account using client-side data, potentially exposing players to harassment and stalking risks.
NotNite believes that the security measures introduced in Patch 7.2 were insufficient, possibly due to constraints in development time and resources. Earlier in January, Square Enix explicitly recognized the existence of PlayerScope and reiterated the prohibition of such mods under the game’s terms of service. The patch also indicated that changes to account IDs might affect the visibility of some player names, although players could recreate affected entries.
Following her thorough testing, NotNite emphasized that Square Enix must reconsider its approach to handling sensitive data within the game client. With ongoing DDoS attacks affecting Final Fantasy 14’s servers, it remains uncertain how the company will adapt to these challenges and improve security moving forward.