3. Neopets security vulnerability in the wild, stealing all your stuff. Configure y...

Neopets security vulnerability in the wild, stealing all your stuff. Configure your browser not to run Flash files without your permission.

Hey friends,

A malicious Flash file has recently appeared on multiple Neopets-related websites, including Neopets.com itself.

When you visit an infected webpage, it exploits a vulnerability in Flash and Neopets.com to immediately transfer all of your on-hand Neopoints, banked Neopoints, and gallery items to the attacker’s account. Some users report that this attack can even circumvent PIN protection.

How can I stay safe?

This vulnerability affects all versions of Flash, including the very latest, so updating Flash won’t protect you from this attack.

Instead, you can protect yourself from this attack by taking these three steps:

1. Enable the Click-To-Play Plugins feature in your browser.

This attack usually works by running a Flash file without you noticing. Thankfully, the Click-To-Play feature will stop your browser from running any Flash file until you right-click it and give it permission to run.

Check out this How-To Geek article, which describes how to enable this feature in all browsers. (Your browser might have Click-To-Play enabled by default.)

To confirm that you’ve completed this step, visit the official Adobe Flash Player website, and confirm that the two Flash files don’t run until you tell them to. It should look like this.

2. Check the list of Click-To-Play exceptions, and remove all Neopets-related websites.

For websites that rely on plugins, like Netflix, your browser probably offers an option to give certain websites an “exception”, so that you don’t have to bother clicking to start the Netflix plugin every time. This exception should be disabled for all Neopets-related websites, including Dress to Impress, other fansites, and Neopets.com itself.

An exception usually makes sense when you trust a website, but Neopets-related websites are currently under attack: folks are claiming that they’re receiving this Flash file via Neomail, and it’s not unreasonable to think that a fan site might be targeted next. So, even if you trust your favorite fan sites like Dress to Impress (and we haven’t seen any attacks on us yet, by the way), we strongly recommend leaving Click-To-Play enabled on all Neopets-related sites regardless.

To confirm that you’ve completed this step, go to Neopets, click the Customise button in the top navigation bar, and confirm that the customization Flash file doesn’t load until you tell it to. It should look like this.

3. Only click to play a Flash file if you’re sure what it is, you trust the author, and you absolutely need it.

Here are some tips to help you stay safe:

  • Don’t run any Flash at all, if possible. This vulnerability is a big deal. Consider staying away from Flash entirely until it’s settled down.
    • Dress to Impress offers an Image mode on the left-hand side of the wardrobe page, which requires no Flash at all, by the way :)
  • Don’t click a Flash file on any user-controlled webpages. If another user can change any part of a webpage, it’s possible that they could cover a good Flash file with an evil Flash file, and trick you into clicking it.
    • For example, instead of using a pet’s lookup to see their customization, consider typing the pet’s name into Dress to Impress. If you’re running in Image mode and don’t click any of the Flash on the page, you’ll be 100% safe from this attack, even if someone manages to use our site to attack you (which is super duper unlikely).
  • Don’t click a Flash file on a website you’ve never been to before. Even if a page claims that it needs Flash to work — which might be true — it’s just not worth the risk unless you already know and trust the website.
  • Don’t click a Flash file in a place where you’re not expecting one. Even if it’s on a website you trust, the website may have been compromised; steer clear of any new Flash-related features you see.

When can I go back to my normal settings?

I strongly recommend making this the new normal. It’s the default setting in newer browsers for a reason: plugins often contain major security vulnerabilities, and not running a plugin is always safer than running it.

That said, we’ll keep you posted regarding this vulnerability in particular. Once it’s resolved, it’ll be safer to interact with Flash files, but still never 100% safe anywhere on the web. Regardless of the current situation on Neopets.com, only ever click Flash files that you trust.

Does this announcement have anything to do with the Spring Korbat Toy's stolen artwork?

Nope! In fact, I’m kinda upset, because I know that this security issue will become the big story and distract people from the fact that JumpStart stole fan art and then publicly lied about it.

But, unfortunately, this attack is happening right now, and we need to be vocal in order to protect our users. Once this security vulnerability is resolved, we can go back to talking about JumpStart’s mistakes, how they can fix them, and, if they don’t fix them, how we feel about remaining affiliated with a company that behaves that way :/ Stay tuned, keep writing in to the Editorial, and hang out with us on the Neoboards.

Thanks for reading, friends, and stay safe! Happy Sunday! —Matchu

edit: P.S. We’ve just spotted an instance of this attack on the Neoboards! Always be wary of unfamiliar links in the Neoboards, especially while this attack is out in the wild, and consider warning fellow users if you see a suspicious link today. Thanks!

/r/neopets Thread
Previous
Next

Recently removed from /r/neopets

Happy Xweetok day, from a Xweetok collector :) I asked AI to draw some of my neopets. Here's what I got. TNT isn’t going to fix the site. They’re going to milk it for what it has left and then close it for good. Serious question: could I get in trouble for making an LGBT-themed guild? here's what I get for trying to get a tax beast trophy Today (ok, tomorrow) is your lucky day! Scammed RIP korolie Food Club Bets (August 01, 2017) Food Club Bets (May 01, 2017) Small Giveaway Help us make a Jubjub! Food Club Bets (March 21, 2017) Question: Refreshed Quest Request GIVE AWAY! 10,000,000np

More Random Comments

Wack 1338. Great post from q/ research re SpX The long-anticipated update for Onward is now available for the weekend Joe Rogan #1115: Mike Baker is a former CIA covert operations officer. Currently he is the president of Diligence LLC, a global intelligence and security firm. What makes YOU a femcel? Getting approached by the same types of guys and I'm not sure whether I'm the problem. Help? Man receives Michelin Star for his food cart and decided to keep the price at 1.50$ instead of raising it making it the cheapest Michelin-starred meal. Føler jeg blir mektig lurt av verksted /r/weedstocks After Hours Discussion - [May 11, 2018] What was a fact taught to you in school that has been disproven in your lifetime? Women with flat bellies. What’re you doing? I want to hear answers all ends of the spectrum (healthy and unhealthy). Tonight was my senior prom that I stayed home and cried during. Got asked as a joke by a couple guys. None of my friends cared enough to ask me as a friend. So I’m feeling really down about myself and could use kindness a lot My husband killed my dreams last night I [28 F] cannot get over our [33 M] cancelled wedding and the event that led to the wedding being cancelled. [Serious] What strange thing has happened to you that you still can't explain?