Blog: Preventing Cookie Grabber Attacks on Neopets...

[riopk217]

As you may be aware, I'm a Neopets player. I'm going to look at how you can prevent malicious scripts from stealing your cookies and allowing people to gain access to your accounts. This is an epidemic which has recently been sweeping Neopets, where people are embedding malicious code into their shops, user lookups, pet pages etc.

Neopets users have been calling these attacks 'Cookie Grabbers', but to be accurate, they are XSS (Cross Site Scripting) attacks, which allow the would-be predator to gain access to your Neopets cookies. Once they have your cookie, they can plug it into their browser and log onto Neopets as if they were you.Thankfully, there are ways to prevent malicious scripts from running on your computer, and I'm going to look at one way to prevent them from running for Google Chrome (or Chromium) and one for Firefox. I'm not really sure how possible it is to protect against XSS attacks in Internet Explorer, I think they have something built in to 8 and 9 but since I use a Mac, I haven't really verified it.

Rest is here: http://blog.alphaneg...cks-on-neopets/

 

I also added another blog offering a dual-browser alternative which doesn't require constantly changing settings: http://blog.alphaneg...rabber-attacks/

 

Finally, added a pet page so that I can help people on the Neo Boards: http://www.neopets.com/~hidealani

[Olivia_D]

Thanks for the update! I've actually had an account stollen before. I don't want to lose this one too! :sad01_anim: Luckily I am using a more secure computer. Another thing to watch out for is logging on a neopets look-alike site. I did this and immediatly lost my account.

 

By the way riopk217 welcome! I'm a newbie too :laughingsmiley:

[riopk217]

Thanks for the update! I've actually had an account stollen before. I don't want to lose this one too! :sad01_anim: Luckily I am using a more secure computer. Another thing to watch out for is logging on a neopets look-alike site. I did this and immediatly lost my account.

 

By the way riopk217 welcome! I'm a newbie too :laughingsmiley:

 

This is huge, whenever you log into *any* site -- whether that's Neopets, Facebook or Gmail -- you should check the address bar and make sure you're on the site you think you're on. If you're using Firefox or Chrome, there's no way for anybody to spoof the address bar, so do this easy visual check.

[Cornflakes]

I'm too afraid to click on the link. Might be a cookie grabber.

[antiaircraft]

I think I'm going to have to keep tabs on your blog. xD

 

I'm too afraid to click on the link. Might be a cookie grabber.

Seeing as it's clearly hosted on a different domain from Neopets, XSS against Neopets on a modern browser would be virtually impossible. The link is safe. ;)

 

That said, TDN's own article on cookie grabbers (written during the height of unfounded cookie grabber paranoia, which sadly seems to be still present in disproportionately large quantities) may be a decent additional reference.

[riopk217]

Log out of Neopets before opening it if you think it's a CG. This should be standard with ANY link you don't trust.

 

"AA" - The script wouldn't have to be hosted on neopets.com, especially if he's using an older or out of date browser. XSS scripts often send false positives to match domain names.

 

Basically, the neologin cookie (the one which is used to store your login details) stores something like:

 

Name: neologin

Content: riopk217%2YxfVn7Nb3acxDD7f57fee0ed10bd91c95f158llo8

Domain: .neopets.com

Path: /

Send For: Any kind of connection

Accessible to Script: Yes

Created: Sunday, February 27, 2011 3:25:48 PM

Expires: Monday, February 27, 2012 3:25:48 PM

 

What you could do (if I hadn't changed the hash above) is take that cookie, plug it into your browser and essentially use Neopets as me without needing to know my username or password (it's not quite that simple, but it's the essence of what the XSS abusers are doing).

 

One common (and very scary) myth is that it stores, or allows the hacker to obtain, your password. What it appears to do is store your password, salted (this means adding something to it to make it difficult to decrypt with a hasher) against the date and time of your login.

 

If TNT had been smart and hashed against your IP (or even browser build, machine name or OS), then checked it whenever they checked the cookie, these XSS attacks would be nearly impossible, but that's another story altogether.

 

Getting a password out of the hash (that's the part after username%) is nigh on impossible, so whilst logging out is a great security measure, it's not actually necessary to change your password. If the pass were just an un-salted MD5 hash, this would be different.

 

I have tested, and logging out and back in does change the salted password. What this means, essentially, is that if you log out every time you're finished using Neopets, you vastly improve your security as the cookie hijacker would have to use your cookie whilst you're still logged in for it to remain valid.

 

Further Neopets Security Tips to Avoid XSS Cookie Grabber Attacks

 

Discusses a two-browser option to avoid the tedium of allowing and disallowing scripts. This is currently my favoured way of using Neopets.

[antiaircraft]

"AA" - The script wouldn't have to be hosted on neopets.com, especially if he's using an older or out of date browser. XSS scripts often send false positives to match domain names.

Interesting... I'm familiar with XSS attacks but I was unaware that it was possible for a script to spoof its domain name, except against extremely old browsers (hence 'modern browser' in my previous post) - any idea how this is done specifically? Example code/hypothetical setups would be nice - I'm downright curious now. xD

 

And yes, logging out of Neopets is simply the best counter there is to a cookie grabber attack - even if an attacker managed to read your login cookie, it would be completely invalidated on the Neopets servers. :yes: Does TNT really insert your password into the login cookie though? Even salted and hashed, that seems like a really dumb thing to do from a security standpoint, as opposed to, say, generating a random session string to associate with the logged in username (personally I'd prefer to generate a new session string on every page load - probably why all the server code I write has a ridiculous database load (: - regenerating after a set period of time/number of pageloads would be more sensible).

 

On a random note: Yay! I'm not the only person crazy enough to test session invalidation on random sites! :P