Hey friends,
A malicious Flash file has recently appeared on multiple Neopets-related websites, including Neopets.com itself.
When you visit an infected webpage, it exploits a vulnerability in Flash and Neopets.com to immediately transfer all of your on-hand Neopoints, banked Neopoints, and gallery items to the attacker’s account. Some users report that this attack can even circumvent PIN protection.
This vulnerability affects all versions of Flash, including the very latest, so updating Flash won’t protect you from this attack.
Instead, you can protect yourself from this attack by taking these three steps:
This attack usually works by running a Flash file without you noticing. Thankfully, the Click-To-Play feature will stop your browser from running any Flash file until you right-click it and give it permission to run.
Check out this How-To Geek article, which describes how to enable this feature in all browsers. (Your browser might have Click-To-Play enabled by default.)
To confirm that you’ve completed this step, visit the official Adobe Flash Player website, and confirm that the two Flash files don’t run until you tell them to. It should look like this.
For websites that rely on plugins, like Netflix, your browser probably offers an option to give certain websites an “exception”, so that you don’t have to bother clicking to start the Netflix plugin every time. This exception should be disabled for all Neopets-related websites, including Dress to Impress, other fansites, and Neopets.com itself.
An exception usually makes sense when you trust a website, but Neopets-related websites are currently under attack: folks are claiming that they’re receiving this Flash file via Neomail, and it’s not unreasonable to think that a fan site might be targeted next. So, even if you trust your favorite fan sites like Dress to Impress (and we haven’t seen any attacks on us yet, by the way), we strongly recommend leaving Click-To-Play enabled on all Neopets-related sites regardless.
To confirm that you’ve completed this step, go to Neopets, click the Customise button in the top navigation bar, and confirm that the customization Flash file doesn’t load until you tell it to. It should look like this.
Here are some tips to help you stay safe:
I strongly recommend making this the new normal. It’s the default setting in newer browsers for a reason: plugins often contain major security vulnerabilities, and not running a plugin is always safer than running it.
That said, we’ll keep you posted regarding this vulnerability in particular. Once it’s resolved, it’ll be safer to interact with Flash files, but still never 100% safe anywhere on the web. Regardless of the current situation on Neopets.com, only ever click Flash files that you trust.
Nope! In fact, I’m kinda upset, because I know that this security issue will become the big story and distract people from the fact that JumpStart stole fan art and then publicly lied about it.
But, unfortunately, this attack is happening right now, and we need to be vocal in order to protect our users. Once this security vulnerability is resolved, we can go back to talking about JumpStart’s mistakes, how they can fix them, and, if they don’t fix them, how we feel about remaining affiliated with a company that behaves that way :/ Stay tuned, keep writing in to the Editorial, and hang out with us on the Neoboards.
Thanks for reading, friends, and stay safe! Happy Sunday! —Matchu
edit: P.S. We’ve just spotted an instance of this attack on the Neoboards! Always be wary of unfamiliar links in the Neoboards, especially while this attack is out in the wild, and consider warning fellow users if you see a suspicious link today. Thanks!