Anything users can do?

[naalaro]

I've been hearing about the CG problem lately, and how they all stem from people managing to edit the scripts in pages etc that allows for their mischief. As a user, i was wondering if there are any counters to that, anyways you can change your own script or someting in key areas like shop/gallery etc to safegaurd against hackers? In not an expert in programming and stuff, so i really won't know.

[mitsurugi_0wnag3]

Other than avoiding shops, no there really isn't. You can also keep your password out of your cookies, as long as you don't mind typing it everytime, as well as changing your password frequently. These are all ways to prevent your account from being hacked into.

[antiaircraft]

If you're using Firefox, you can check out the NoScript extension. :yes: It prevents all JavaScript from running except for the scripts you tell it to whitelist (it comes preloaded with a very basic whitelist). No JS = no cookie grabber scripts.

[onime_no_kai]

If you're using Firefox, you can check out the NoScript extension. :yes: It prevents all JavaScript from running except for the scripts you tell it to whitelist (it comes preloaded with a very basic whitelist). No JS = no cookie grabber scripts.

 

I just wanted to add that, while this is certainly worth doing, it isn't infallible. I have it; but I also had it added and enabled when my old account was stolen. To be fair I'm not exactly sure where/how my account was stolen, only that it had to have been on Neo itself since I didn't ever give out info or click any bad links. Actually, maybe you can tell me -- I have it set to allow Neopets scripts (since quite a few things on Neo wouldn't work properly until I did) -- I assume this is probably why the thief was able to get my info (assuming that I must have had it taken by bad script in either a shop or a UL; since the page was technically a Neopets.com page, would the malicious script not have been blocked because of that?)

[antiaircraft]

I have it set to allow Neopets scripts (since quite a few things on Neo wouldn't work properly until I did) -- I assume this is probably why the thief was able to get my info (assuming that I must have had it taken by bad script in either a shop or a UL; since the page was technically a Neopets.com page, would the malicious script not have been blocked because of that?)

Yup that's correct. It's an unfortunate shortcoming of the whole domain whitelisting thing - Neopets loads user pages (which can potentially contain malicious scripts) and its own scripts from the same domain(s), so it's impossible for a program to distinguish them. A workaround is to temporarily allow 'neopets.com' when you're, say, playing a game, and revoke that temporary permission immediately afterwards.

 

But of course, the optimal thing would be for TNT to actually implement a proper system to stop people from sneaking in scripts. <_<

[onime_no_kai]

Yup that's correct. It's an unfortunate shortcoming of the whole domain whitelisting thing - Neopets loads user pages (which can potentially contain malicious scripts) and its own scripts from the same domain(s), so it's impossible for a program to distinguish them. A workaround is to temporarily allow 'neopets.com' when you're, say, playing a game, and revoke that temporary permission immediately afterwards.

 

But of course, the optimal thing would be for TNT to actually implement a proper system to stop people from sneaking in scripts. <_<

 

TNT do the optimal thing? Pshaw. :P

 

Anyway -- I'll probably re-disallow Neo on NoScript and just put up with having to keep doing the temporary permissions, because I really have no interest in restarting again lol. <_< Is there anywhere that having scripts disabled would somehow provide an unfair advantage? I know you can get in trouble for abusing AdBlock of course, but you have to do that on purpose; I can't think of any way offhand that one could abuse NoScript in a similar manner simply by disallowing Neo scripts, but I can't really remember, it's been a while since I tried to navigate the site with the scripts forbidden. It'd just be a bit unfortunate to protect my account from CGers only to have it frozen because TNT thought I was trying to cheat, so I wanted to make sure. -_-

[antiaircraft]

Well quite frankly, browsing the site with JavaScript disabled should be perfectly fine. I mean, it's only sensible - many lesser known web browsers out there don't even support JavaScript, yet would still be adequate for some basic tasks on Neopets. Then again... TNT sensible? Pshaw. :P

[Masaryk]

Heh. I tried disabling JavaScript, but then I couldn't post here. :P Scrap that plan.

[naalaro]

Heh. I tried disabling JavaScript, but then I couldn't post here. :P Scrap that plan.

 

Hahah! Touche! In fact, that was exactly what happened when i tried that out only yesterday :D

 

But the fact that there is no full proof safeguard still is a thorn in the sides of many. I suppose the best defense is being savy enough to avoid such malicious intent. Then again...all of us have been surprised before...

[imongreen]

The best way to protect yourself, unfortunately, is to stay away from any page that can be altered by the user - shops, lookups and boards.

 

Has there been any official word from Neopets about any of this? I only log in to do the dailies and that's it.

[onime_no_kai]

The best way to protect yourself, unfortunately, is to stay away from any page that can be altered by the user - shops, lookups and boards.

 

Has there been any official word from Neopets about any of this? I only log in to do the dailies and that's it.

 

No, and to be honest there probably never will be. -_- TNT tends to keep silent at best, and at worst outright deny that there's anything wrong even as they scramble to fix the coding holes. Presumably this is because they don't want the bad publicity; though IMHO they really get much worse publicity in the long run by not being honest with their users or reassuring people that something is being done. But I'm not a businessperson, what do I know, eh? <_<

 

Also -- I was posting a bit on the boards and the subject of disallowing Neo in NoScript came up. A user on the board (who, while I don't really "know" her, I have been acquainted with for some time and consider her very reasonable and reliable) pointed out an Editorial that strongly points to TNT giving the thumbs-down on blocking Neo scripts. So, while it bothers me to no end that they allow this to go on so long and yet deny us one of the few good options for protecting our accounts, I would say that it is very advisable to keep Neopets allowed on NoScript and just avoid user-editable areas if at all possible.

[antiaircraft]

o_O So if I happen to be a visually impaired person who uses Lynx because it works well with screen readers, TNT just freezes me? Man, sometimes I wonder...

 

Also, disabling JavaScript completely is hardly a viable option - c'mon, it's 2009! :P

[nora k]

most of the Premium members have been targeted because they have the SSW. If you see a price that's too good to be true, be careful! SOOO MANY people have gotten frozen on account of this...by the way, does anyone know how you're actually FROZEN? I thought CGers only took your stuff.. :sad01_anim:

[antiaircraft]

People can (and often do) ask TNT to freeze their accounts if they've been compromised. Also, I'm pretty sure it's TNT's policy to freeze compromised accounts. :yes:

[naalaro]

most of the Premium members have been targeted because they have the SSW. If you see a price that's too good to be true, be careful! SOOO MANY people have gotten frozen on account of this...by the way, does anyone know how you're actually FROZEN? I thought CGers only took your stuff.. :sad01_anim:

I really am wondering how the entire basis of freezing works. Is there a set list of parameters or rules which TDN follows to freeze your account whenever an account is of suspect?