61.5%
23.1%
7.7%
3.8%
3.8%
0.0%Famous Neopians and Events
Submitted by jetsamoverlord
December 2000:
One of the first cheats on Neopets was a program that enabled players to send in fake scores on Neopets. The wrath of the mighty TNT had been boiling up for about a month. When finely angered by there players that faked game scores to get money and avatars, TNT went on a freezing field day where they froze over 200 users for cheating. Iceland must have been pretty crowded after that.
The 4-4-4 disaster:
On April 4th 2004 Neopets got a bug where the lost password request form allowed anyone to view the email address and password for any account. So the horrible scammers/hackers out there where able to have free rain on poor Neopians’ accounts for three days! Many account where hacked and frozen, and the mess didn’t end there a lot of people used the same password and username on Neopets as they did on e-mails and other things.( I personally would care more about Neopets XP) So sadly many peoples security was ruined as well.
Dupe Day:
On July 25th 2005 there was a coding problem that made it so users could duplicate item and sell them. So say you got a MSPP and you “Dupe it” you could make maybe 1000 MSPPs and sell them for 1 mil each and make a profit of 1000mil! In online games like Runescape and World of Warcraft, item duping is a real problem and it makes the economy really unstable. Thousands of users where frozen, some of witch were done so wrongly.
Kaos and InfamousX241
Between the months of November 2005 and January 2006 there a hole that allowed users to customize pages with JavaScript. Two users called Infamousx241 and Kaos used this hole to implant login cookies on pages that they mad. So they could sell a PB for 1k in there shop and tons of people would go to it. These cookies would allow InfamousX241
And Kaos to view the log info of all the users that went to those pages. The hole was patched by TNT buy InfamousX241 was able to find another way around it, and he got back to work, he was even able to snag TNT’s account and from that he could freeze people, lock boards, change posts the whole nine yards. Here is a screenie.
And here is an apology letter written by InfamousX241:
Dear those who I have caused substantial loss,
I am truly and very sorry for my actions, I had no right to steal and sell Neopoints; however easily they are created and destroyed. I had totally forgotten that behind these accounts, there are real people who probably take the game very seriously. Had I known that so many people’s lives would be shattered by my actions, I would have refrained from doing so. I simply figured this; Neopoints are infinite. If I take some, it can surely be replaced (which it is quicker for some than others, sadly). I’d like to mention that I am not a frightening anti-Semite. The one responsible for the horrifying and vulgar terms was ‘KaosKinesis’, my short-lived German partner with a peculiar sense of humor. Although I take the blame, I ask why my emails regarding your sites variety of bugs were disregarded. I offered to help fix the bugs, but I’m assuming you didn’t want help from someone of my likeness – that’s ok. Below is a copy of the e-mail I sent:
Hi,
Several times I’ve tried to bring to your attention the threat of XSS
Injection on Neopets pages. I’ve given my information, and Neopets has
failed to contact me about something that can easily be fixed. It’s a
huge problem and is compromising the security of many ‘high-class’
accounts — even moderators.
This is InfamousX241, the initial creator of over 10 cookie grabbers
which have been continuously “patched”, but Neopets has yet to stop
the malicious code (aka. ‘Cookie Grabbers’ for obvious reasons).
If any employees actually care about the problem at hand I’d
appreciate it if someone contacted me via MSN or AIM. After all, I’m
doing you a favor.
MSN: InfamousX241@gmail.com (preferred)
AIM: InfamousX241
P.S. Kaos is a noob.
As a matter of security however, I’d like to give some suggestions, if you’re remotely interested in the security of your site:
1. When creating cookies, use unique session IDs based on the user’s IP address, or anything else static and unique to the users account. If the IP changes, they simply re-login.
2. Although the PIN numbers are quite adequate protection, the shop tills and stocks are left wide open.
3. Have a more secure login for moderators and such, the cookies should be super secure!
4. I am fully aware Neopets keeps plain-text passwords in their MySQL databases. This is not good. I would recommend at least MD5 + a custom key. However, with 80 million users plus, it may too late unless you have the rows automatically update upon login.
5. Hire a security auditor now and then!
6. Actually read and listen to incoming mail regarding bugs.
I figured since this emails would be one of the few you actually read, I’d include these tips in here. Also, if by any chance you’d be requiring regular security audits, I’d be more than happy.
Once again, I am very sorry about the damage I’ve caused Neopets Inc and the individuals who work there. Consider your demands met.
Sincerely,
Babak Rasouli
Ad0:
A user named Ad0 was able to hack into Neopets and change pets stats, TNT said that the reason for this was……. a misfired lab ray !XP
value[1].wmf :
From August 26 to August 27 Neopets was infected with a virus called value[1].wmf and a Trojan downloader called bl4ck.com. Because of this, Neopets was blacklisted by Australia.
Jazz_Invincible:
Jazz_Invincible was the first user to 100 and 200 avatars, and he would have been the first user to 300 avatars but he was frozen!
NOTE: We have received information that some of this information might be inaccurate:
The user known as “Kaos/KaosKinesis” spearheaded most of the CG’ing attacks. “Infamous” was simply a friend from a forum that eventually backstabbed him, thus Kaos sent in all of the CG scripts - inevitably getting them blocked. KaosKinesis also played a very large role in “Dupe Day,” with the programmer known as “sockopen.”
Rate:
(12 votes, average: 4.67 out of 5)
Loading ...Categories:
Neopets History, Neopets Scams
I can’t believe I never heard of any of these, I have been a neopian for most of them.
Wow, i think that just shows how neopets are sometimes quite stuck up. If they were more in contact with their users some of this wouldn’t have happened !
This information is rather flawed. The user known as “Kaos/KaosKinesis” spearheaded most of the CG’ing attacks. “Infamous” was simply a friend from a forum that eventually backstabbed him, thus Kaos sent in all of the CG scripts - inevitably getting them blocked. KaosKinesis also played a very large role in “Dupe Day,” with the programmer known as “sockopen.”
Actually Phil, your information is wrong. Kaos was the friend from the forum, Infamous was the one who programmed it all, and did that =D
Thanks, Phil! I’ll update this article with that information.
There were no avatars in 2000…
ily sockopen and i want to masturbate all over you.
Whoa, I cant believe all this has happened =O
4-4-4 I hated that day. I had to change my PIN code 30 times