FFLogs Uploader (Archon) Leaks FFXIV Credentials via Overwolf
This is a brief post that does not detail all concerns found with FFLogs Uploader. However, this post was made to raise awareness of a potential security risk that can harm its users.
A security disclosure was submitted to Overwolf in February when initially analyzed, and no response was received
Summary
FFLogs Uploader (and other related Archon apps) leak FFXIV session credentials that can be used by bad faith actors to log into your FFXIV account.
The Overwolf SDK, currently bundled with FFLogs Uploader, Archon, and potentially others (WoWLogs, etc), installs several components onto the user’s machine without explicit consent.
In AppData\Roaming\ow-electron, several artifacts were seen:
- OBS fork by Overwolf, for progamatically recording and taking screenshots. Whether screenshot/recording functionality can be triggered without explicit user action has not been confirmed.
- An Overwolf unpacking/installer helper.
- Overwolf utilities (OWEPM, GEP), etc. These programs track what games are open/installed in order to hook into them, presumably for overlay purposes.
One of the utilities, GEP, has a plaintext log file named gep.log. Searching for it in ow-electron and opening it will reveal logs that detail hook status, events and reports.
The events include a dump of the command-line that a game is ran. However, FFXIV session tokens are embedded into the command-line, and thus, leaking credentials via the logging output.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2026-01-21-23-46-16 - [INFO] enqueueing tracking event 400108,'10_0_22631'
2026-01-21-23-46-49 - [INFO] game 'Final Fantasy XIV Online' (6350) state change launch { pid: 14332,
name: 'ffxiv_dx11',
fullPath: 'C:\\Data\\Games\\ffxiv\\game\\ffxiv_dx11.exe',
is32Bit: false,
isElevated: false,
commandLine:
'"" //**sqex[REDACTED]**//',
window_handle: 133490,
isUWP: false }
2026-01-21-23-46-49 - [INFO] waiting injection dit: 10000
2026-01-21-23-46-59 - [INFO] dit complete
2026-01-21-23-46-59 - [INFO] gep injection rejected for game: '6350'
2026-01-21-23-46-59 - [ERROR] handle game 'Final Fantasy XIV Online (6350)' process (14332) error 'start handler error'
2026-01-22-03-45-03 - [INFO] game 'Final Fantasy XIV Online' (6350) state change exit { pid: 14332,
name: 'ffxiv_dx11',
fullPath: 'C:\\Data\\Games\\ffxiv\\game\\ffxiv_dx11.exe',
is32Bit: false,
isElevated: false,
commandLine:
'"" //**sqex[REDACTED]//',
window_handle: 133490,
isUWP: false }
2026-01-22-03-45-03 - [INFO] Stopping Game Handler 6350
The parameter commandLine, with the session token redacted, contains the full session token.
Since it is exposed in %appdata% with standard security read/write permissions, this means a program in bad faith could be used to steal the token and gain access to your FFXIV account.
What’s next?
I recommend halting use of FFLogs Uploader and any associated program, cleaning the AppData\Roaming\ow-electron folder under your username (C:\Users\%yourusername%\AppData\Roaming\ow-electron), and raising awareness. I’d also recommend changing your SE account’s password to be safe. Session tokens can last days.
FFLogs team has been made aware of the community’s desires to push for a standalone uploader in the past. Overwolf currently controls ads via OAM, tracks user gaming behaviour, self-updates and drops programs into the user’s computer without their knowledge.