Quantcast

Jump to content


Photo

Scared Of Being CG'd?


  • Please log in to reply
109 replies to this topic

#1 Abradix

Abradix
  • 769 posts

Posted 19 January 2011 - 07:58 PM

*
POPULAR POST!

Whats All The Hubbub?!


Cookie Grabbers, hereto referred to as "CG" can make you lose your account before you even know its gone.
People have been getting CGd all over Neopets. Assuming you're immune and it won't ever happen to you is the first mistake to be made. People have been targeted specifically, people have just come across the wrong user lookup. In this guide I will attempt to explain how CGs work, why TNT hasn't done anything yet, and most importantly... How to protect yourself.

So How Is It Possible?

CGs are very basic coding that can be implemented into almost any page on most web pages, usually without you ever knowing that you've been nabbed. A bit of PHP, a dash of Javascript and you got yourself a CG. The PHP translates the personal information stored on your computer into a format that can be read and saved by the Javascript. Most recently Neopets has disabled PHP and Java across their site. So we should all be nice and safe now right? WRONG! Flatnukes (Flatnux for short) is a recent addition to the coding world and allows any scripts to be run regardless of whether or not the original coders attempted to block it. It was intended to be used so you wouldn't need to go through an entire page of code just to add in a bit of Java or XSS when you originally coded it to be blocked, more recently it has been used for more devious methods.

What Happens Once You're CG'd?

Once a CGer gets your cookie, there is still a process to get into the account and therefore, you have time to protect yourself as best you can. The information that was processed and snagged by the PHP/Java will be saved in a hashed fashion into a .txt file. Most sites aren't stupid enough to save a cookie in an ACCOUNT:PASSWORD fashion, most are a combination of login time, name, password, and any other odd information that will make unhashing the password even more difficult. This information is then encrypted, hashed, and saved on your harddrive until the CG manages to get a hold of it. Unhashing passwords and accounts is a process, and takes a bit of time (usually up to 3 or 4 hours with the help of a program). Once again, this is the time you should be added PINs and changing passwords, if you know you've been CG'd that is.


Does TNT Know About This?
They undeniably do, but stopping an entire coding language is a difficult process, and the fact that Flatnux has been made specifically to override said code makes it even MORE complicated. I'm sure they are working on getting it fixed, and have been at it for at least 3 months. The time for the exploit is running out, but it only takes a day to lose your account to a CG forever.

How Can I Protect Myself?

Here it is, the reason you're probably visiting this guide. The answer is extremely simple and you will likely be shocked at how easy it is to avoid being CG'd... Meet my good friend NoScript!

Chrome: https://chrome.googl...lpidmdajjpkkcfn
Firefox: https://addons.mozil...addon/noscript/


Edit: Props to Jibri for Chrome NotScripts.


If you're using IE/Safari I would highly suggest switching as neither of them offer access to a Java blocking option and you will ALWAYS be susceptible to CGs!


If there are any questions feel free to PM me and I promise to help you out to the best of my (and your) ability. This concludes the first guide from your friendly neighborhood Abradix! Expect to see more soon.

Edited by Abradix, 23 January 2011 - 11:16 AM.


#2 Scot

Scot
  • ≡^ᴥ^≡

  • 3,873 posts


Users Awards

Posted 19 January 2011 - 08:01 PM

Posted Image

#3 Chopped

Chopped
  • 139 posts

Posted 19 January 2011 - 08:04 PM

Great Guide Man. Plus 1 rep for you.

#4 ShadowLink64

ShadowLink64
  • 16,713 posts


Users Awards

Posted 19 January 2011 - 08:12 PM

Nice guide. :D Thanks for helping inform everyone about them. :p

#5 Scot

Scot
  • ≡^ᴥ^≡

  • 3,873 posts


Users Awards

Posted 19 January 2011 - 08:21 PM

Thanks for this man. I have so many questions

Is the PIN number part of the hash? What do you do when you* get into an account that is pinned?
How long does a page with said script last before TnT catches on?
You said specific people can be targeted, is that through trial an error, like ignoring lesser accounts until you get the person you want?
Do you clean the account immediately or collect a bunch of info first as to not cause panic then harvest them all rapidly?

*You referring to CGers collectively.

#6 Roxi

Roxi
  • 499 posts

Posted 19 January 2011 - 08:21 PM

Really nice. I've never thought about being CG'd. Scary thought. I think I'll be using that handy link you have there to make sure it doesn't happen. Thanks.

#7 Abradix

Abradix
  • 769 posts

Posted 19 January 2011 - 08:33 PM

Is the PIN number part of the hash? What do you do when you* get into an account that is pinned?

The PIN number is fortunately for you guys, not so fortunate for CGers, not included in the hash. There has been success with a recent cracking program but it does take time to use and go through all those number combinations, usually if an account is PIN'd I don't bother with the NP unless its the only thing they really have to offer, and even then only if its over 500k-ish.

How long does a page with said script last before TnT catches on?

The pages themselves don't flag TNT at all for the time being, its the IP address that gives you away.

You said specific people can be targeted, is that through trial an error, like ignoring lesser accounts until you get the person you want?

This is generally done through a NeoMail. Friends only doesn't generally help either since people will accept anyone who wants to discuss their trades and what not. If these tactics both fail the last resort is cracking their email.

Do you clean the account immediately or collect a bunch of info first as to not cause panic then harvest them all rapidly?


Methods differ, I personally don't care about being caught so I just take whatever I can and "gift" the high price-tag items to other accounts I'd like to see iced. There are people who are a bit more sneaky about it though.



#8 Seren

Seren
  • 45 posts

Posted 19 January 2011 - 09:40 PM

+1 - thank you very much :)

#9 Wil

Wil
  • 200 posts

Posted 19 January 2011 - 10:19 PM

For some reason I feel much safer getting this info from a CGer.

#10 Strategist

Strategist
  • Sadmin


  • 9,489 posts


Users Awards

Posted 20 January 2011 - 02:25 AM

lol i was thinking the exact same thing as you Wil. Cheers for the info and guide mate. It allowed me to finally understand how CG'ers work and what to do to prevent any unwanted attacks. Much appreciated :)

#11 Waser Lave

Waser Lave

  • 25,516 posts


Users Awards

Posted 20 January 2011 - 03:44 AM

Are there any specific areas of the site where the CGers are being placed so people know where to avoid?

#12 Barophobia

Barophobia
  • 612 posts

Posted 20 January 2011 - 04:18 AM

Rep'd you for this, learnt something new today. (though it kinda just adds to my paranoia.)


Also, scot's gifs and pics never fail to amuse :p


#13 Lychee

Lychee
  • 633 posts

Posted 20 January 2011 - 05:05 AM

Thanks for the guide - I've been using NoScript for Neo for ages now, but it's good to see that it's still the best in protecting accounts. Just one question in regards to Neomails: some say that it's better to turn formatting in NMs off to prevent CGing. Any truth in this?

(...and a second question, but you might not wanna answer it: how do you pick your targets? People who piss you off or what?)

#14 BERRIES

BERRIES
  • 232 posts

Posted 20 January 2011 - 07:38 AM

Wow, thanks for the awesome guide, really helped. Switched from Safari to Firefox, >____<

How do we know if we got CG-ed?

#15 AstroCrunch

AstroCrunch
  • 8 posts

Posted 20 January 2011 - 09:11 AM

Thanks for pointing me towards this guide, I'm not very tech-orientated and I had no idea about this.  

Few questions:
1 - If I have moved over from using IE to Firefox and installed NoScript could I still be CGd?  Is it attached to your account or just when you log on?

2 - Do you just install the add on and let it run using the preset preferences or do you have to make some preference changes?  

Thanks, AC.

Edited by AstroCrunch, 20 January 2011 - 09:11 AM.


#16 nonotjj

nonotjj
  • 134 posts

Posted 20 January 2011 - 09:16 AM

1 - If I have moved over from using IE to Firefox and installed NoScript could I still be CGd? 


If you're running Firefox with NoScript installed, your chances of being CG'd are much lower..

 Is it attached to your account or just when you log on?


I'm assuming you mean your cookie.. The cookie is account specific and it gets set once you login. Try clearing your cookies and going to neopets.com ... it'll make you sign in because it found no cookie identifying your account.

#17 jaredennisclark

jaredennisclark
  • 838 posts

Posted 20 January 2011 - 11:16 AM

Say we are CG'ed, and for whatever reason we know we have been.

What exactly do we need to do in order to 'escape'? Simply log out and log back in? Log out and clear cookies and log back in?

#18 nonotjj

nonotjj
  • 134 posts

Posted 20 January 2011 - 11:23 AM

Say we are CG'ed, and for whatever reason we know we have been.

What exactly do we need to do in order to 'escape'? Simply log out and log back in? Log out and clear cookies and log back in?


I read somewhere on this site that logging out and logging back in will invalidate the old cookie... I can test and report back.

#19 Ziz

Ziz
  • 936 posts

Posted 20 January 2011 - 11:29 AM

Say we are CG'ed, and for whatever reason we know we have been.

What exactly do we need to do in order to 'escape'? Simply log out and log back in? Log out and clear cookies and log back in?


Clearing your computer will not help if you got CG'ed, they would have everything they need to take your account.
Abradix told in this guide that once they have your info, they have to decipher it (and it takes a while). While that is happening you still have time to change your password (and hopefully not falling in another Cookie Grabber).

However I have seen that recently, it is a little hard to change a password on neopets and it can take some time...

#20 nonotjj

nonotjj
  • 134 posts

Posted 20 January 2011 - 11:38 AM

Clearing your computer will not help if you got CG'ed, they would have everything they need to take your account.
Abradix told in this guide that once they have your info, they have to decipher it (and it takes a while). While that is happening you still have time to change your password (and hopefully not falling in another Cookie Grabber).

However I have seen that recently, it is a little hard to change a password on neopets and it can take some time...


The 'old' cookie took about 10mins before it was invalidated by neo (so if you click 'logout' and then 'login'.. someone could still have fun for about ~10mins before they were forced logged out)... changing the password was the quickest way to make sure the login cookie was invalidated. And I've never needed to decipher a cookie to spoof their login... if you give me the value of 'neologin' cookie I can be you.

Edited by nonotjj, 20 January 2011 - 11:43 AM.


#21 Tigerzz

Tigerzz
  • 160 posts

Posted 20 January 2011 - 12:25 PM

Check you (:
Didn't know you was smart as well as everything else! :p
Plus one for you and the fact you're new. :thumbsup:

For some reason I feel much safer getting this info from a CGer.


This needs a plus one too, i'm afraid :thumbsup:

#22 Information

Information
  • 246 posts

Posted 20 January 2011 - 12:26 PM

I don't get it Abradix, one moment you are encouraging cookie grabbers... the next you are trying to nullify their master attempts of theft?

Come on, entertain me with a response...

#23 Tigerzz

Tigerzz
  • 160 posts

Posted 20 January 2011 - 01:05 PM

I don't get it Abradix, one moment you are encouraging cookie grabbers... the next you are trying to nullify their master attempts of theft?

Come on, entertain me with a response...



..I don't think it's really about that, it's more aimed towards learning more about cg'ers and how they work for people that don't know anything about it or are curious to how they work or how to stay safe? It's not really encouraging in any part to start cg'ers?

#24 Noitidart

Noitidart
  • Neocodex Co-Founder

  • 23,214 posts


Users Awards

Posted 20 January 2011 - 01:14 PM

I thought NoScript doesn't really help. You have to go to tools>options>disable javascript

That's what I thought.
But this is a great guide. So if you were CGed then logging out then back in won't help huh? As they have the hash of your password?

I also heard something about RequestPolicy addon for firefox does that help?

For some reason I feel much safer getting this info from a CGer.

This is why I asked him to make this topic.

I don't get it Abradix, one moment you are encouraging cookie grabbers... the next you are trying to nullify their master attempts of theft?

Come on, entertain me with a response...

I told him we don't support that, and told him a way how he can use his knowledge for good.

#25 Tigerzz

Tigerzz
  • 160 posts

Posted 20 January 2011 - 01:20 PM

This is why I asked him to make this topic.


I told him we don't support that, and told him a way how he can use his knowledge for good.



Lol, re reading it i can see how it's encouraging if you want to become a cg'er it cause it sounds easy, but i like the idea of making this guide to actually use for safety reasons xD


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users