Quantcast

Jump to content


Photo

new neopets security vulnerability, beware everyone!


  • Please log in to reply
22 replies to this topic

#1 fiasco817

fiasco817
  • 254 posts


Users Awards

Posted 15 November 2015 - 07:49 PM

saw this on r/neopets, here is the direct link:

 

 

https://www.reddit.c...ty_in_the_wild/

 

this seems like a big deal, and I have not seen it discussed here yet​

 



#2 Rogue

Rogue
  • 674 posts


Users Awards

Posted 15 November 2015 - 07:52 PM

Play neopets on Tor Browser and you're pretty much golden.



#3 Grimley

Grimley
  • The greatest trick the Devil ever pulled was convincing the world he didn't exist

  • 3840 posts


Users Awards

Posted 15 November 2015 - 07:57 PM

saw this on r/neopets, here is the direct link:

 

 

https://www.reddit.c...ty_in_the_wild/

 

this seems like a big deal, and I have not seen it discussed here yet​

 

Thanks for the heads up!



#4 Lollita

Lollita
  • 801 posts


Users Awards

Posted 15 November 2015 - 08:14 PM

Thanks +rep



#5 Kass

Kass
  • 581 posts


Users Awards

Posted 15 November 2015 - 08:41 PM

Wow, I didn't even know this kind of thing was possible  :unsure: Thanks for posting this!


Edited by Kass, 15 November 2015 - 11:44 PM.


#6 Nano

Nano
  • a delicious kiwi

  • 325 posts


Users Awards

Posted 15 November 2015 - 08:54 PM

This has been around for months. Only just been made this public.



#7 Waser Lave

Waser Lave

  • 25516 posts


Users Awards

Posted 15 November 2015 - 09:41 PM

This is the same thing we recently banned somebody for, check their ban thread for more information if you haven't already. It's a basic XSS attack, pretty sure it doesn't give them your password or cookies if it's exactly the same as they tried here. But yeah, this is a pretty serious one now it's getting out, follow the steps in that Reddit post to stay safe from it and don't follow links from people you don't trust. STRANGER DANGER PEOPLE, STRANGER DANGER!

#8 fiasco817

fiasco817
  • 254 posts


Users Awards

Posted 15 November 2015 - 10:56 PM

Thanks for the heads up!

 

anytime man!



#9 Blanc

Blanc
  • 1058 posts


Users Awards

Posted 16 November 2015 - 08:05 AM

Thanks! I'll take more care now. +rep



#10 spotify95

spotify95
  • 315 posts

Posted 16 November 2015 - 11:18 AM

This is the same thing we recently banned somebody for, check their ban thread for more information if you haven't already. It's a basic XSS attack, pretty sure it doesn't give them your password or cookies if it's exactly the same as they tried here. But yeah, this is a pretty serious one now it's getting out, follow the steps in that Reddit post to stay safe from it and don't follow links from people you don't trust. STRANGER DANGER PEOPLE, STRANGER DANGER!

 

Was that the same person that tried scamming me a couple of days ago? See below:

 

Attempted to send a malicious link to several members via PM. For further information:

 

https://www.reddit.c...cious_activity/

 

A reminder to only follow links from people you know and trust. If you receive a link here from somebody you don't know then if in doubt just report it and the staff will check it out, don't take any risks.

 

Action: Banned (obviously)

 

 

I'm definitely going to take much more care now, and check my Neopets account just to make sure someone hasn't had any of my items or NPs. Also, if I don't know you, and you try sending me a link in a PM, chances are it's going to go.



#11 Strategist

Strategist
  • Sadmin

  • 10012 posts


Users Awards

Posted 16 November 2015 - 11:20 AM

EDIT: This security vulnerability has been resolved — hooray! Please clear your browser’s cache to ensure that this change takes effect for you.
We’ll have more information for you this evening :)


So apparently, this is now fixed according to the OP of the reddit thread.

#12 spotify95

spotify95
  • 315 posts

Posted 16 November 2015 - 11:24 AM

So apparently, this is now fixed according to the OP of the reddit thread.

 

Phewee! At least we know that we won't be worrying about whether someone's going to use a plugin to steal our NPs/Items...

 

It does recommend to clear your cache - which I shall do.



#13 Strategist

Strategist
  • Sadmin

  • 10012 posts


Users Awards

Posted 16 November 2015 - 11:27 AM

Phewee! At least we know that we won't be worrying about whether someone's going to use a plugin to steal our NPs/Items...
 
It does recommend to clear your cache - which I shall do.


Even so, I wouldn't go dropping your guard in regards to account security. What one person says, doesn't necessarily mean it's true.

#14 SuperDuperPuppu

SuperDuperPuppu
  • 148 posts


Users Awards

Posted 16 November 2015 - 06:18 PM

Who goes around stealing accounts for a game that is barely staying afloat?



#15 Lollita

Lollita
  • 801 posts


Users Awards

Posted 16 November 2015 - 06:19 PM

Glad its over..



#16 neopetsexploded

neopetsexploded
  • 234 posts

Posted 16 November 2015 - 08:01 PM

So the person PMing random users here was trying to use that exploit I presume?



#17 Strategist

Strategist
  • Sadmin

  • 10012 posts


Users Awards

Posted 16 November 2015 - 08:13 PM

Yep, they were.

#18 spotify95

spotify95
  • 315 posts

Posted 17 November 2015 - 09:21 AM

Yep, they were.


Whatever they were doing, I can only presume it was to try and steal NPs. I ended up getting a PM from the aforementioned member but the link had expired before I could read the PM. Thank goodness for that, otherwise they could have wiped my account clean...

 

edit: Just saw this message from TNT, so everything should be ok.

 

 

 

  • SECURITY UPDATE from TNT: In order to address some of the concerns and comments made by our players from this past weekend, please be aware that a recent security update was made to better optimize your experience on the site. Let us start by reassuring all of you that it is important to us that our Neopets users are able to run flash apps and games on our site safely. And because of that, we have restricted access through Flash from non-Neopets sites. If you run a Neopets fan-site and this new restriction breaks something on your site, please feel free to contact us through our support channels for further information and instructions from our team. Thank you!


Edited by spotify95, 17 November 2015 - 10:52 AM.


#19 rezpirate

rezpirate
  • 171 posts


Users Awards

Posted 26 November 2015 - 05:14 PM

Have checked my settings on my browsers, I'm safe.



#20 Hydrange

Hydrange
  • 504 posts

Posted 28 December 2015 - 09:30 AM

A friend's account fell victim of this exploit. She was frozen within the next hours of accepting the "flash update". She either got frozen for self protection or the thief self froze it after stealing everything. Anyway, it's been a month now and we lost the hope of getting it back. Tickets have been sent, but no one answered them.



#21 spotify95

spotify95
  • 315 posts

Posted 28 December 2015 - 02:35 PM

A friend's account fell victim of this exploit. She was frozen within the next hours of accepting the "flash update". She either got frozen for self protection or the thief self froze it after stealing everything. Anyway, it's been a month now and we lost the hope of getting it back. Tickets have been sent, but no one answered them.

 

Oh dear - so basically put, anyone who fell victim of the exploit lost their account, and most (if not all) of the items? That's terrible...

 

Hope it all goes well for them and that it gets resolved, but otherwise, best bet would be to (unfortunately) start over with a new account...



#22 Hydrange

Hydrange
  • 504 posts

Posted 28 December 2015 - 05:04 PM

Oh dear - so basically put, anyone who fell victim of the exploit lost their account, and most (if not all) of the items? That's terrible...

 

Hope it all goes well for them and that it gets resolved, but otherwise, best bet would be to (unfortunately) start over with a new account...

Thank you!

We don't think they're answering any tickets, their Facebook wall is full of complaints about the matter so if they ever reply... I'm afraid it's not going to be in the near future. :(



#23 KaibaSama

KaibaSama
  • Weeaboo


  • 5640 posts


Users Awards

Posted 28 December 2015 - 06:19 PM

Thank you!
We don't think they're answering any tickets, their Facebook wall is full of complaints about the matter so if they ever reply... I'm afraid it's not going to be in the near future. :(

I think they've forgotten the ticket system exists. It's been months since I sent in a ticket about the fact that my password to my side isn't working and I'm not getting the reset email because AOL blocks neopets emails. The status of that ticket is still "open", they haven't even looked at it! I sent that back in September! You think it would be really easy to just switch the email on the side so I could get the reset email, but no, instead it's taken over 4 months and they haven't even looked at it. Ugh. With the staff being downsized and the issues with duping, the board filters dying this past weekend and all the other stuff, I guess tickets just aren't on the list of important things anymore.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users