Whats All The Hubbub?!
Cookie Grabbers, hereto referred to as "CG" can make you lose your account before you even know its gone.
People have been getting CGd all over Neopets. Assuming you're immune and it won't ever happen to you is the first mistake to be made. People have been targeted specifically, people have just come across the wrong user lookup. In this guide I will attempt to explain how CGs work, why TNT hasn't done anything yet, and most importantly... How to protect yourself.
So How Is It Possible?
CGs are very basic coding that can be implemented into almost any page on most web pages, usually without you ever knowing that you've been nabbed. A bit of PHP, a dash of Javascript and you got yourself a CG. The PHP translates the personal information stored on your computer into a format that can be read and saved by the Javascript. Most recently Neopets has disabled PHP and Java across their site. So we should all be nice and safe now right? WRONG! Flatnukes (Flatnux for short) is a recent addition to the coding world and allows any scripts to be run regardless of whether or not the original coders attempted to block it. It was intended to be used so you wouldn't need to go through an entire page of code just to add in a bit of Java or XSS when you originally coded it to be blocked, more recently it has been used for more devious methods.
What Happens Once You're CG'd?
Once a CGer gets your cookie, there is still a process to get into the account and therefore, you have time to protect yourself as best you can. The information that was processed and snagged by the PHP/Java will be saved in a hashed fashion into a .txt file. Most sites aren't stupid enough to save a cookie in an ACCOUNT:PASSWORD fashion, most are a combination of login time, name, password, and any other odd information that will make unhashing the password even more difficult. This information is then encrypted, hashed, and saved on your harddrive until the CG manages to get a hold of it. Unhashing passwords and accounts is a process, and takes a bit of time (usually up to 3 or 4 hours with the help of a program). Once again, this is the time you should be added PINs and changing passwords, if you know you've been CG'd that is.
Does TNT Know About This?
They undeniably do, but stopping an entire coding language is a difficult process, and the fact that Flatnux has been made specifically to override said code makes it even MORE complicated. I'm sure they are working on getting it fixed, and have been at it for at least 3 months. The time for the exploit is running out, but it only takes a day to lose your account to a CG forever.
How Can I Protect Myself?
Here it is, the reason you're probably visiting this guide. The answer is extremely simple and you will likely be shocked at how easy it is to avoid being CG'd... Meet my good friend NoScript!
Chrome: https://chrome.googl...lpidmdajjpkkcfn
Firefox: https://addons.mozil...addon/noscript/
Edit: Props to Jibri for Chrome NotScripts.
If you're using IE/Safari I would highly suggest switching as neither of them offer access to a Java blocking option and you will ALWAYS be susceptible to CGs!
If there are any questions feel free to PM me and I promise to help you out to the best of my (and your) ability. This concludes the first guide from your friendly neighborhood Abradix! Expect to see more soon.
You don't need to know PHP to do Cookie Grabber. You just need to know basic javascript and basically set up another page that accepts input/parameter. Basically Cookie Grabber uses XSS exploits to steal your cookie. It is no use to 'delete' your cookie, it won't make any difference. Also, Java != Javascript, it is totally 2 different programming and unrelated (probably just related in some of the syntax).
I have never use before Noscript plugin but reading from the plugin page, it seems to have the ability to block the Cookie Grabber, however I am unsure if you need to do settings on the plugin to activate the 'Disable Javascript function'. Checking from this page -
http://noscript.net/ from the screenshot, it gives me the thought that it is set to default to disable the javascript. So probably it would work by just installing it. However if you are using Firefox, you can do it another way to protect yourself from Cookie Grabber.
Tools -> Options -> Content ->
Untick the 'Enable javascript' would protect yourself from being 'Cookie grabbed'.
However when you disabled javascript, or used 'Noscript' plugin to disable javascript, some sites you are viewing (not neopets) might not work, however it would still protects you from being attacked by XSS exploits from other website. So you probably would have some problem viewing some other legitimate websites that requires javascript to run. Some legitimate website you view, especially those websites that is built running on AJAX or using jQuery technology would pose problems like website not running properly or functions is missing. Then you would need to re-enable your javascript for the webpage to work normally. However remember to off it once again when you are going to neopets or some other important websites that you wouldn't want your cookies to be grabbed.
A cookies is saved in a .txt file for most or probably all of the browsers. I just took a look on my own neopets cookie. It tells me that the confidential information are 'hashed' instead of encrypt. Also, no password are stored. From what you said earlier on, the cookie stealer would requires a program to run to
crack the information. I can tell you that is wrong. They don't need to crack the hash information. It would take forever for them to crack the hash, or probably few hours like you said if it appear on a rainbow table but from this case I see, a rainbow table most likely wouldn't help. The cookie stealer just need some simple stuffs to access your account, the process I can tell you is
less than 10 second to access your account with your cookie
Using neopets PIN function will guard access to your SDB and bank, however it wouldn't guard your account fully.
As what other users suggested, 'relogging' of account. I can say it
might work. Seeing from the neopets cookie sample of my own, I am 'guessing' that the 'logged in' function is binded onto the cookie based on login sessions and your username instead of username:password. Therefore re-logging in
might erase the previous session when your cookies are being stolen therefore changing the session existed, thus expiring the previous cookie when the attacker stole your cookies. So yep it might work.....