Looking for security contact at Neopets

johnjhacking · December 28, 2020, 5:09am

Hello all,

I’ve been dealing with an issue with Neopets, the online flash game. With the Help of @tensor_bodega I was able to completely dump the entire Codebase and see Employee Emails, LDAP Credentials, Database Credentials, Internal IPs, User IPs, etc. This is a serious problem - and being that I had experience with Neopets support in the past, I decided to contact them via public means on Twitter: https://twitter.com/johnjhacking/status/1342921353310027776?s=20

They had me reach out via DM and told me submit a support ticket. I submitted multiple vulnerabilities, but as of now they have only resolved the less severe ones and not the vulnerabilities resulting in a full dump of their Codebase w/server configs and information.

If anyone has a contact beyond the Neopets support line, please let me know. I don’t like playing Support → Developer coordination games. This is urgent and critical because PII is exposed and some of these individuals are Children.

johnjhacking · December 28, 2020, 7:05pm

Timeline for tracking:

2020-12-26: Found vulnerabilities
2020-12-26: Reached out to Neopets on Twitter, support triaged my issue
2020-12-27: Emailed Neopets Support for a follow-up, no answer
2020-12-28: Emailed Neopets Support for a follow-up, no answer
2020-12-28: Validated the fix of 5 medium vulnerabilities, most critical vulns still pending fix.
2020-12-28: Critical Vulnerabilities fixed, several medium-low impact vulnerabilities remain.
2020-12-28: Recheck revealed more vulnerabilities, looping back for more reporting.

disclose · December 30, 2020, 1:46am

Hey @johnjhacking - Was there progress on this?

johnjhacking · January 2, 2021, 8:17pm

Yes sorry, circling back now.

All 15 vulnerabilities that have been reported, including the two most critical resulting in the dump of credentials and proprietary code, are fixed. I have commended Neopets publicly, and if Disclose wants to, maybe we can give them a public shout as well.

sickcodes · February 8, 2021, 11:30am

Just posting an update here for readers:

John disclosed this vulnerability:

https://reddit.com/r/neopets/comments/kkphhy/neopets_got_breached/

johnjhacking · February 15, 2021, 8:41pm

It was a good experience, and met with an adequate and professional response.