About cookie grabbers

[Gammarax]

Hey guys,

 

I just want to ask, how PREVALENT are cookie grabbers anyway? I ask this because seemingly every time someone encounters a problem or anything of the sort, a CG is blamed. Isn't Neopets aware of this and aren't filters implemented to avoid this?

 

For the more technically inclined, how EASY is it to make one anyway? Like, could a script kiddy just get one off the net and post it on some side account and basically reap the benefits?

 

I'm really scared but somehow can't help but think the issue is a bit "overrated". But because of the posts I've seen I usually logout often just to be sure.

 

Also, CGs can't get your password right? Just your cookie session?

 

 

Tldr; Should I logout every so often to keep myself protected?

[Cornflakes]

Wait until you get CGed, and see how "overrated" you think it is then.

 

Yes, CGs can get your password, that's how they get into your account.

 

Just don't visit any suspicious non-Neopets sites and change your password regularly. Also, set a PIN. It saved me from getting frozen, and it just might save you too.

[hrtbrk]

Hey guys,

 

I just want to ask, how PREVALENT are cookie grabbers anyway? I ask this because seemingly every time someone encounters a problem or anything of the sort, a CG is blamed. Isn't Neopets aware of this and aren't filters implemented to avoid this?

As far as I know, they do have working filters this time to prevent cookie grabbers. I do recall a few recent cases of it happening on petpages, but as far as shops/look ups are clean.

 

For the more technically inclined, how EASY is it to make one anyway? Like, could a script kiddy just get one off the net and post it on some side account and basically reap the benefits?

//Waits for Theo... LOL

 

I'm really scared but somehow can't help but think the issue is a bit "overrated". But because of the posts I've seen I usually logout often just to be sure.

 

Also, CGs can't get your password right? Just your cookie session?

Exactly. They don't get your password, they login via the cookie session they grabbed when you viewed their page - that's why it's strongly suggested to log out asap to make the cookie they have invalid.

 

I'm sure Theo will come in and explain more accurately.

 

Don't be scared, though. I haven't heard about a serious CG outbreak in a long, long time.

 

Tldr; Should I logout every so often to keep myself protected?

Can't hurt anything. As a general rule for myself, I view all petpages/look ups in a separate browser just to be safe. If I need to buy something from a usershop, I check their account age and pets [in the separate browser] before hand. Simple practice to protect yourself - along with occasional logouts.

 

Not saying that it's a 100% safe way, tho haha

[Gammarax]

 

Can't hurt anything. As a general rule for myself, I view all petpages/look ups in a separate browser just to be safe. If I need to buy something from a usershop, I check their account age and pets [in the separate browser] before hand. Simple practice to protect yourself - along with occasional logouts.

 

Not saying that it's a 100% safe way, tho haha

 

 

I see. Thanks for that! :)

 

Although, I do have to ask, how can you "detect" that the petpage/lookup isn't a CG page by opening it in a different browser? :O

[hrtbrk]

You can't. lol

 

If you need some information off of a petpage, you can view it on a browser that you don't play Neopets on. If it does have a cookie grabber, there's no useful cookie to take.

 

I view user look-ups in a different browser just to check their age and how well they take care of their pets before going to their shop. If they have a week old account and a bunch of expensive items - that's a little sketchy to me - so I'll avoid it. /weirdo :laughingsmiley:

[antiaircraft]

Heartbreak has the answer pretty much nailed. This is definitely a serious issue, but the amount of hysteria surrounding it, coupled with the tendency people have developed to immediately blame any mishaps on 'CGs', is frankly a little overblown (cf. xkcd #574). That doesn't mean you shouldn't watch out, but don't worry too much, and definitely don't let them spoil your fun.

 

TNT has been mostly on the ball with the issue of malicious scripts on Neopets lately, but the issue is of course that JavaScript is all handled client-side, meaning that the exact way code is interpreted depends largely on your web browser and your computer. Because there are so many different browsers and configurations out there, TNT has a very tough time getting everything covered all the time, and occasionally something new crops up. However, in the vast majority of cases, you don't have all that much to worry about - as Cornflakes said, set a PIN and change your password regularly. :yes:

 

While phishing scams and all sorts of nastiness can happen on non-Neopets sites, cookie grabbers simply cannot. Modern web browsers are specifically designed to only allow websites access to cookies they stored themselves*, meaning that it is straight-up impossible for a non-Neopets site to read your Neopets cookies. On the extremely rare occasion that someone does figure out a way to do this, it's known as an XSS (cross-site scripting) vulnerability, a critical security hole which all browser developers will scramble to fix in an update within about twelve hours (unless said developer is Microsoft, in which case they'll probably wait until the second Tuesday of the next month).

 

Regarding the ease of actually writing cookie grabbers, the code itself is relatively trivial to come up with. The difficulty in this case would be getting the code past TNT's filters, which is in most cases effectively impossible - on occasion somebody figures out something that can slip past (and the issue here of course is that the exploit can be spread quickly among crackers and script kiddies), but it's just as easy for TNT to shut the crackers back out when they realise what's happening.

 

Exactly. They don't get your password, they login via the cookie session they grabbed when you viewed their page - that's why it's strongly suggested to log out asap to make the cookie they have invalid.

Yep, this is mostly correct - the only thing a successful cookie grabber can obtain is the (theoretically) randomly generated session string that identifies your current login session. The moment you log out, this string becomes invalid. However, there is one caveat here: as I understand it, Neopets does not randomly generate your session string. Instead, the session string is actually generated (via an algorithm known as a 'hash') based on your password. Now, while hashes are specifically designed to be ridiculously difficult to reverse**, this can still be a problem if you use a weak password (e.g. a common word or phrase). What happens then is that the cracker can potentially compare your hash against a dictionary of hashes of common words and phrases, and see if there's a match. If you set a decent password however (mix upper and lowercase letters, numbers, and symbols), you're pretty much entirely safe on this front.

 

I'm really not sure why Neopets' login system still uses this rather unsafe practice (if it still does), and I also wonder why TNT hasn't tried placing the HttpOnly flag on login cookies to simply eliminate the risk from client-side scripts entirely***. They're doing a great job of keeping a lid on these issues using their existing systems, but I really do think some simple changes could potentially nix cookie grabbers on the site entirely. I can only imagine that lack of resources, supporting older browsers, and dealing with the massive amounts of legacy code they must have accumulated over the years is holding them back.

 

* Unless the cookie was explicitly marked as a 'super' cookie (a cookie meant to be readable across multiple websites) when it was stored, but I digress.

** If somebody went and built a supercomputer just to crack Neopets accounts, I really wouldn't know what to say.

*** Caveat: At present Firefox is the only browser that behaves entirely correctly with the HttpOnly flag and XHR requests, but other browsers do get most of the secure behaviour right.

[-Ryan]

Uh... Yeah, what Theo said. I would've said it first but my version has a lot more detail and uh... Technical terms. You know. :P

[antiaircraft]

Right. xD

 

tl;dr is set a PIN, set a good password (letters, numbers, symbols), change your password regularly, and log out every now and again if you feel like it (for most people, just logging off when they're done with Neopets for the day should be fine).

[Cornflakes]

I thought they get your password from your cookies.

 

Well whatever, CGs suck.

[Mason]

all i know is they are no where near what the majority of people on neopets think. and they generally aren't instantaneous. so when someone comes onto the boards from their side and say "OMG I JUST GOT CG'ED" they have no idea what they're talking about. cg'ers stockpile info and crack it later. if you lose your account from a cg'er, it happened a WHILE ago, and not just before you were logged out.

[antiaircraft]

all i know is they are no where near what the majority of people on neopets think. and they generally aren't instantaneous. so when someone comes onto the boards from their side and say "OMG I JUST GOT CG'ED" they have no idea what they're talking about. cg'ers stockpile info and crack it later. if you lose your account from a cg'er, it happened a WHILE ago, and not just before you were logged out.

That is largely correct. :yes: However, it is worth noting that professionally engineered cross-site scripting attacks (created by actual black hat hackers, as opposed to the crackers you find on Neopets) are usually designed to deliver their entire 'payload' the instant they're loaded*, for maximum potency. We're highly unlikely to ever see something developed with this degree of skill on Neopets however.

 

* This can be done via an XHR request, or DOM manipulation and submission of a form element.

[Gammarax]

That is largely correct. :yes: However, it is worth noting that professionally engineered cross-site scripting attacks (created by actual black hat hackers, as opposed to the crackers you find on Neopets) are usually designed to deliver their entire 'payload' the instant they're loaded*, for maximum potency. We're highly unlikely to ever see something developed with this degree of skill on Neopets however.

 

* This can be done via an XHR request, or DOM manipulation and submission of a form element.

 

Thanks for all the technical info LOF. I'm happy to be able to understand the things you just said, haha! And yeah, I guess the real black hat hackers would have more important things to do than hack a site like Neo.

[antiaircraft]

Thanks for all the technical info LOF. I'm happy to be able to understand the things you just said, haha! And yeah, I guess the real black hat hackers would have more important things to do than hack a site like Neo.

You're welcome! xD And that's true too, no hacker would ever bother to waste time ruining other people's fun on Neopets. In the unlikely event Neopets ever was targeted by hackers, they'd almost definitely hit the servers directly instead of bothering with individual accounts (I wager they'd go straight for whatever system the NC Mall uses to handle transactions).

[Guest Zazi]

Whoa, I had no idea this was such a recurrent thing.

I have one question though: does using "incognito" mode on Chrome or "private navigation", for example, prevent this from happening?

[behati]

Whoa, I had no idea this was such a recurrent thing.

I have one question though: does using "incognito" mode on Chrome or "private navigation", for example, prevent this from happening?

 

Yes, but this "secret" browsing isn't very "secret". Incognito just means download histories, webpage histories won't be logged (kept track of in your browser) and upon exiting the browser it will auto-delete any cookies that a website might have attempted to save. It's no different than just hitting "log out" and "clear cookies" in your regular browser. - you don't really need your download and webpage history wiped unless you're doing something real shady and neopets is trying to CG you :3

 

I'm surprised I haven't seen neopets DDoS'd yet. If someone really hated Viacom, I'm sure they would target neopets with so many users.

[Guest Zazi]

Yes, but this "secret" browsing isn't very "secret". Incognito just means download histories, webpage histories won't be logged (kept track of in your browser) and upon exiting the browser it will auto-delete any cookies that a website might have attempted to save. It's no different than just hitting "log out" and "clear cookies" in your regular browser. - you don't really need your download and webpage history wiped unless you're doing something real shady and neopets is trying to CG you :3

 

I'm surprised I haven't seen neopets DDoS'd yet. If someone really hated Viacom, I'm sure they would target neopets with so many users.

 

Not doing anything shady - promise. I use it to log on to Neo mainly because people laugh at me when they come over and see that I still play Neopets. Avidly.

I have browsing data that I wouldn't erase for the world (I have major trouble remembering websites and bookmarking things) and I would hate clearing my cookies daily and have me logged out of every other website of the world.

So its less trouble - for me, as erasing cookies and logging out occasionally goes - to just navigate through it, right?

[behati]

It's personal preference, as long as you don't visit shady websites and you remember to log out often it's all good. What I do is I use my browser to auto save passwords and logins (since it's a personal computer at home), and set my browser to delete cookies on exit. So it logs me out anyway since the cookies are no longer there to CG so to speak. =)