Hello all,
I’ve been dealing with an issue with Neopets, the online flash game. With the Help of @tensor_bodega I was able to completely dump the entire Codebase and see Employee Emails, LDAP Credentials, Database Credentials, Internal IPs, User IPs, etc. This is a serious problem - and being that I had experience with Neopets support in the past, I decided to contact them via public means on Twitter: https://twitter.com/johnjhacking/status/1342921353310027776?s=20
They had me reach out via DM and told me submit a support ticket. I submitted multiple vulnerabilities, but as of now they have only resolved the less severe ones and not the vulnerabilities resulting in a full dump of their Codebase w/server configs and information.
If anyone has a contact beyond the Neopets support line, please let me know. I don’t like playing Support → Developer coordination games. This is urgent and critical because PII is exposed and some of these individuals are Children.
Timeline for tracking:
2020-12-26: Found vulnerabilities
2020-12-26: Reached out to Neopets on Twitter, support triaged my issue
2020-12-27: Emailed Neopets Support for a follow-up, no answer
2020-12-28: Emailed Neopets Support for a follow-up, no answer
2020-12-28: Validated the fix of 5 medium vulnerabilities, most critical vulns still pending fix.
2020-12-28: Critical Vulnerabilities fixed, several medium-low impact vulnerabilities remain.
2020-12-28: Recheck revealed more vulnerabilities, looping back for more reporting.
Hey @johnjhacking - Was there progress on this?
Yes sorry, circling back now.
All 15 vulnerabilities that have been reported, including the two most critical resulting in the dump of credentials and proprietary code, are fixed. I have commended Neopets publicly, and if Disclose wants to, maybe we can give them a public shout as well.
Just posting an update here for readers:
John disclosed this vulnerability:
It was a good experience, and met with an adequate and professional response.
