Whats All The Hubbub?!
Cookie Grabbers, hereto referred to as "CG" can make you lose your account before you even know its gone.
People have been getting CGd all over Neopets. Assuming you're immune and it won't ever happen to you is the first mistake to be made. People have been targeted specifically, people have just come across the wrong user lookup. In this guide I will attempt to explain how CGs work, why TNT hasn't done anything yet, and most importantly... How to protect yourself.
So How Is It Possible?
What Happens Once You're CG'd?
Once a CGer gets your cookie, there is still a process to get into the account and therefore, you have time to protect yourself as best you can. The information that was processed and snagged by the PHP/Java will be saved in a hashed fashion into a .txt file. Most sites aren't stupid enough to save a cookie in an ACCOUNT:PASSWORD fashion, most are a combination of login time, name, password, and any other odd information that will make unhashing the password even more difficult. This information is then encrypted, hashed, and saved on your harddrive until the CG manages to get a hold of it. Unhashing passwords and accounts is a process, and takes a bit of time (usually up to 3 or 4 hours with the help of a program). Once again, this is the time you should be added PINs and changing passwords, if you know you've been CG'd that is.
Does TNT Know About This?
They undeniably do, but stopping an entire coding language is a difficult process, and the fact that Flatnux has been made specifically to override said code makes it even MORE complicated. I'm sure they are working on getting it fixed, and have been at it for at least 3 months. The time for the exploit is running out, but it only takes a day to lose your account to a CG forever.
How Can I Protect Myself?
Here it is, the reason you're probably visiting this guide. The answer is extremely simple and you will likely be shocked at how easy it is to avoid being CG'd... Meet my good friend NoScript!
Edit: Props to Jibri for Chrome NotScripts.
If you're using IE/Safari I would highly suggest switching as neither of them offer access to a Java blocking option and you will ALWAYS be susceptible to CGs!
If there are any questions feel free to PM me and I promise to help you out to the best of my (and your) ability. This concludes the first guide from your friendly neighborhood Abradix! Expect to see more soon.
Tools -> Options -> Content -> Untick
A cookies is saved in a .txt file for most or probably all of the browsers. I just took a look on my own neopets cookie. It tells me that the confidential information are 'hashed' instead of encrypt. Also, no password are stored. From what you said earlier on, the cookie stealer would requires a program to run to crack
the information. I can tell you that is wrong. They don't need to crack the hash information. It would take forever for them to crack the hash, or probably few hours like you said if it appear on a rainbow table but from this case I see, a rainbow table most likely wouldn't help. The cookie stealer just need some simple stuffs to access your account, the process I can tell you is less than 10 second
to access your account with your cookie
Using neopets PIN function will guard access to your SDB and bank, however it wouldn't guard your account fully.
As what other users suggested, 'relogging' of account. I can say it might
work. Seeing from the neopets cookie sample of my own, I am 'guessing' that the 'logged in' function is binded onto the cookie based on login sessions and your username instead of username:password. Therefore re-logging in might
erase the previous session when your cookies are being stolen therefore changing the session existed, thus expiring the previous cookie when the attacker stole your cookies. So yep it might work.....