Security Warning Regarding the Neopets Mobile App

[Bat]

In light of recent alleged "wifi hacking" incidents involving Neopets accounts, I took a look at the code for the NeoExplorer (Neopets Mobile) app to see if the Neopets team did anything to address security issues. Unfortunately, the app has the same holes that the website itself has - it communicates using plain old-fashioned HTTP, without any protection for your account's cookies or credentials.

Since many of us are going to be using the Neopets Mobile app on our phones and tablets, we will likely be taking those devices out from the protection of our home wifi and into the dangerously unpredictable wireless networks of our everyday lives. Please exercise caution when using Neopets Mobile in caf�s, coffee shops, offices, restaurants, stores and so on. The Neopets team has not seen fit to protect your account, or your username and password from being stolen when you're using this app, and you never know if someone might be out there running packet captures!

---

Ha! Thanks, @(you need an account to see links). I should've summarized.

In conclusion: don't use the app when you're on public wifi. It's not safe. Use cellular data or home wifi only!

[j03]

TL;DR - Don't use the app outside of your home wifi unless you have cellular data.


Sent from my iPhone using Tapatalk

[Mardan]

I'm mystified by how they keep doing this.
Not using https is pretty much a web2.0 practice.

[Flordibel]

Thanks for the heads-up!

[♥ PrettySarcastic ♥]

The security practices of this company are atrocious. The last thing they need is another database breach, and the lack of care they are taking really doesn't give me faith such a thing is impossible.

Thanks for the heads up. <3

[k80]

Ugh this company, I swear.

Non-tech person here; Is it difficult to switch an older site/DB like Neo to https or just laziness? I've gotten the feeling that the entire site is just a big patchwork quilt of old code ready to fall apart if you look at it wrong. And a tiny skeleton crew to repair it if it does. Breaks my heart. I love Neo but it gets very frustrating.

[Bat]

Ugh this company, I swear.

Non-tech person here; Is it difficult to switch an older site/DB like Neo to https or just laziness? I've gotten the feeling that the entire site is just a big patchwork quilt of old code ready to fall apart if you look at it wrong. And a tiny skeleton crew to repair it if it does. Breaks my heart. I love Neo but it gets very frustrating.

It could be done, but it won't be easy, and will probably damage the Neopets experience for some time.

There area considerable amount of flash files, forms, images, links, scripts, stylesheets and XHR requests on the site that would have to be checked after a changeover like that. The JSON or XML responses from XHR requests as well as pages resulting from clicked links or form submissions may also need a bit of reprogramming if the Neopets team validates whole referer addresses instead of just the path after the host name. There may also be addresses for external resources hard-coded into flash animations and games, which will require those flash files to be recompiled after changing. Each of the apps they've released for phones and tablets would need new compilations due to address changes as well - there are hard-coded http addresses all over the place in those!

[Flordibel]

Is it standard practice to hard-code http or https nowadays?

[Bat]

Is it standard practice to hard-code http or https nowadays?

Standard practice should be to future-proof your solution as much as possible, otherwise you end up in the same predicament that Neopets is currently faced with. It may have been excusable to some in the 2000s, but having ignored the need for https after all this time is just irresponsible, and as @(you need an account to see links) put it - lazy.