Quantcast

Jump to content


Photo

Scared Of Being CG'd?


  • Please log in to reply
109 replies to this topic

#51 Ziz

Ziz
  • 936 posts

Posted 22 January 2011 - 07:39 PM

If you got CG'd at a certain point in time but you always log out of your account is there a way for the CGer to find out your password and username regardless?

Read this:

Once a CGer gets your cookie, there is still a process to get into the account and therefore, you have time to protect yourself as best you can. The information that was processed and snagged by the PHP/Java will be saved in a hashed fashion into a .txt file. Most sites aren't stupid enough to save a cookie in an ACCOUNT:PASSWORD fashion, most are a combination of login time, name, password, and any other odd information that will make unhashing the password even more difficult. This information is then encrypted, hashed, and saved on your harddrive until the CG manages to get a hold of it. Unhashing passwords and accounts is a process, and takes a bit of time (usually up to 3 or 4 hours with the help of a program). Once again, this is the time you should be added PINs and changing passwords, if you know you've been CG'd that is.



The log out thing only helps to log out every other person that is into your account, but the CG would have your info yet.
So you have to log out and re-log in AND change your password, and trying to not fall into a CG again ASAP if that happens.

#52 Guest_jcrgirl_*

Guest_jcrgirl_*

Posted 22 January 2011 - 08:15 PM

Fuck that is so much work
-rage-

Ah well *goes to change password* ^_^~

#53 Abradix

Abradix
  • 769 posts

Posted 22 January 2011 - 08:32 PM

If you got CG'd at a certain point in time but you always log out of your account is there a way for the CGer to find out your password and username regardless?


If you meant that you log in and out and don't have your password stored I got sour news for ya, there are always cookies from TNT unless you set your browser security settings to the max.



If you've been following the hijinks on the BD Chat this past week, multiple SuAPs, tons of older weapons, an m-skull, and a few wodf/istaffs have been compromised. Some even sold from the compromised accounts over the course of a month.

As for things that have been stolen, see above. People are just as ruthless as I am, nobody will pass up an 800k MoSkull/WoDF/SuAP even if its someone elses. I even post things like "Wow theres a lot of stuff on this account, who wants to buy some of it?!" and buisness is booming.


Edited by Abradix, 22 January 2011 - 09:10 PM.


#54 Dreww

Dreww
  • 552 posts

Posted 22 January 2011 - 09:04 PM

If you meant that you log in and out and don't have your password stored I got sour news for ya, there are always cookies from TNT unless you set your browser security settings to the max.

As for things that have been stolen, see above. People are just as ruthless as I am, nobody will pass up an 800k MoSkull/WoDF/SuAP even if its someone elses. I even post things like "Wow theres a lot of stuff on this account, who wants to buy some of it?!" and buisness is booming.

Was that first paragraph directed at me?

#55 Abradix

Abradix
  • 769 posts

Posted 22 January 2011 - 09:10 PM

Nah, its was for jcrgirl. Fail tag is fail. Fix'd now.

#56 Daywalker88

Daywalker88
  • 62 posts

Posted 23 January 2011 - 10:28 AM

Don't murder me for not knowing this, but what exactly does CG stand for?

I already regret posting this because i know im gunna get 5 comments saying like

WHAT KIND OF AN IDIOT DOESN'T KNOW WHAT A CG IS. or something

well fuck off, Urban dictionary just told me it meant computer graphics, which wouldnt really make sense in the place of this topic

#57 Ziz

Ziz
  • 936 posts

Posted 23 January 2011 - 10:47 AM

Don't murder me for not knowing this, but what exactly does CG stand for?

I already regret posting this because i know im gunna get 5 comments saying like

WHAT KIND OF AN IDIOT DOESN'T KNOW WHAT A CG IS. or something

well fuck off, Urban dictionary just told me it meant computer graphics, which wouldnt really make sense in the place of this topic


Cookie Grabber. If you would have read through the posts on this topic you would have noticed that.
But I don't blame you since it should be in the first page. Hopefully Abradix will edit the first post after watching this and add that.

#58 Abradix

Abradix
  • 769 posts

Posted 23 January 2011 - 11:14 AM

Cookie Grabber. If you would have read through the posts on this topic you would have noticed that.
But I don't blame you since it should be in the first page. Hopefully Abradix will edit the first post after watching this and add that.


Done and done.

#59 Daywalker88

Daywalker88
  • 62 posts

Posted 23 January 2011 - 01:29 PM

Thanks, I did read the first page and assumed thats where the important info would be. My fault.

#60 hello123

hello123
  • 5 posts

Posted 31 January 2011 - 05:31 AM

Whats All The Hubbub?!


Cookie Grabbers, hereto referred to as "CG" can make you lose your account before you even know its gone.
People have been getting CGd all over Neopets. Assuming you're immune and it won't ever happen to you is the first mistake to be made. People have been targeted specifically, people have just come across the wrong user lookup. In this guide I will attempt to explain how CGs work, why TNT hasn't done anything yet, and most importantly... How to protect yourself.

So How Is It Possible?

CGs are very basic coding that can be implemented into almost any page on most web pages, usually without you ever knowing that you've been nabbed. A bit of PHP, a dash of Javascript and you got yourself a CG. The PHP translates the personal information stored on your computer into a format that can be read and saved by the Javascript. Most recently Neopets has disabled PHP and Java across their site. So we should all be nice and safe now right? WRONG! Flatnukes (Flatnux for short) is a recent addition to the coding world and allows any scripts to be run regardless of whether or not the original coders attempted to block it. It was intended to be used so you wouldn't need to go through an entire page of code just to add in a bit of Java or XSS when you originally coded it to be blocked, more recently it has been used for more devious methods.

What Happens Once You're CG'd?

Once a CGer gets your cookie, there is still a process to get into the account and therefore, you have time to protect yourself as best you can. The information that was processed and snagged by the PHP/Java will be saved in a hashed fashion into a .txt file. Most sites aren't stupid enough to save a cookie in an ACCOUNT:PASSWORD fashion, most are a combination of login time, name, password, and any other odd information that will make unhashing the password even more difficult. This information is then encrypted, hashed, and saved on your harddrive until the CG manages to get a hold of it. Unhashing passwords and accounts is a process, and takes a bit of time (usually up to 3 or 4 hours with the help of a program). Once again, this is the time you should be added PINs and changing passwords, if you know you've been CG'd that is.


Does TNT Know About This?
They undeniably do, but stopping an entire coding language is a difficult process, and the fact that Flatnux has been made specifically to override said code makes it even MORE complicated. I'm sure they are working on getting it fixed, and have been at it for at least 3 months. The time for the exploit is running out, but it only takes a day to lose your account to a CG forever.

How Can I Protect Myself?

Here it is, the reason you're probably visiting this guide. The answer is extremely simple and you will likely be shocked at how easy it is to avoid being CG'd... Meet my good friend NoScript!

Chrome: https://chrome.googl...lpidmdajjpkkcfn
Firefox: https://addons.mozil...addon/noscript/


Edit: Props to Jibri for Chrome NotScripts.


If you're using IE/Safari I would highly suggest switching as neither of them offer access to a Java blocking option and you will ALWAYS be susceptible to CGs!


If there are any questions feel free to PM me and I promise to help you out to the best of my (and your) ability. This concludes the first guide from your friendly neighborhood Abradix! Expect to see more soon.


You don't need to know PHP to do Cookie Grabber. You just need to know basic javascript and basically set up another page that accepts input/parameter. Basically Cookie Grabber uses XSS exploits to steal your cookie. It is no use to 'delete' your cookie, it won't make any difference. Also, Java != Javascript, it is totally 2 different programming and unrelated (probably just related in some of the syntax).

I have never use before Noscript plugin but reading from the plugin page, it seems to have the ability to block the Cookie Grabber, however I am unsure if you need to do settings on the plugin to activate the 'Disable Javascript function'. Checking from this page - http://noscript.net/ from the screenshot, it gives me the thought that it is set to default to disable the javascript. So probably it would work by just installing it. However if you are using Firefox, you can do it another way to protect yourself from Cookie Grabber.

Tools -> Options -> Content -> Untick the 'Enable javascript' would protect yourself from being 'Cookie grabbed'.

However when you disabled javascript, or used 'Noscript' plugin to disable javascript, some sites you are viewing (not neopets) might not work, however it would still protects you from being attacked by XSS exploits from other website. So you probably would have some problem viewing some other legitimate websites that requires javascript to run. Some legitimate website you view, especially those websites that is built running on AJAX or using jQuery technology would pose problems like website not running properly or functions is missing. Then you would need to re-enable your javascript for the webpage to work normally. However remember to off it once again when you are going to neopets or some other important websites that you wouldn't want your cookies to be grabbed.

A cookies is saved in a .txt file for most or probably all of the browsers. I just took a look on my own neopets cookie. It tells me that the confidential information are 'hashed' instead of encrypt. Also, no password are stored. From what you said earlier on, the cookie stealer would requires a program to run to crack the information. I can tell you that is wrong. They don't need to crack the hash information. It would take forever for them to crack the hash, or probably few hours like you said if it appear on a rainbow table but from this case I see, a rainbow table most likely wouldn't help. The cookie stealer just need some simple stuffs to access your account, the process I can tell you is less than 10 second to access your account with your cookie :)

Using neopets PIN function will guard access to your SDB and bank, however it wouldn't guard your account fully.

As what other users suggested, 'relogging' of account. I can say it might work. Seeing from the neopets cookie sample of my own, I am 'guessing' that the 'logged in' function is binded onto the cookie based on login sessions and your username instead of username:password. Therefore re-logging in might erase the previous session when your cookies are being stolen therefore changing the session existed, thus expiring the previous cookie when the attacker stole your cookies. So yep it might work.....

#61 mysterybat

mysterybat
  • 305 posts

Posted 31 January 2011 - 09:40 AM

it is terrible to hear that cger can even have methods to break into banks and SDB even we have set PIN :sorry:

so I will not put my valuable items in my account ,and will transfer part of them to my side accounts ....

#62 BEEEEWRRYY

BEEEEWRRYY
  • 315 posts

Posted 31 January 2011 - 03:22 PM

So I pretty much add the noscript onto firefox and enable it and thats it? Don't need to do anything else?

#63 mysterybat

mysterybat
  • 305 posts

Posted 31 January 2011 - 08:42 PM

just install Noscript ,and thank you for the guide :cool:
basically I clear all my cookies everyday ,and just think this will help me to prevent from cg .... never know about javascript ~ good to remind this :rolleyes:

Edited by mysterybat, 31 January 2011 - 09:03 PM.


#64 Neoquest

Neoquest
  • 1760 posts


Users Awards

Posted 31 January 2011 - 08:53 PM

I just downloaded no-script, thanks for the info!

#65 iargue

iargue
  • 10048 posts


Users Awards

Posted 01 February 2011 - 01:00 AM

Your guide is full of disinformation :|

#66 trixz1

trixz1
  • 89 posts

Posted 01 September 2011 - 02:53 PM

nice guide..does this really work? >>>iffy with downloading unnecessary things on my comp unless i know its 100% working

#67 lluvia

lluvia
  • 162 posts

Posted 19 September 2011 - 08:50 PM

trixz - I've heard that it does.

Also, you might want to add this - http://www.neopets.com/~ripht (not mine, of course)
Basic guide to the PC, but it has a bit of intro information about CGers and how to block them, and then links to quite a few pages telling you how to do in more detail (including RequestPolicy).

Is RequestPolicy really needed?

BTW - because I have NoScript and NotScript installed, people borrowing my laptop have always commented on how much security I have on it. XP (On top of Norton and all that).

#68 Therion

Therion
  • 209 posts

Posted 20 September 2011 - 12:08 AM

nice guide..does this really work? >>>iffy with downloading unnecessary things on my comp unless i know its 100% working


Noscript may not be necessary, but it will likely do you FAR more good than the standard anti-viral software at keeping junk, malicious or otherwise out of your computer.

So whether you choose to put faith in this guide or not, noscript is an excellent program to have for browsing online.

#69 LOLButter

LOLButter
  • 47 posts

Posted 07 October 2011 - 05:30 PM

Thanks for the explanation, makes me wanna go put on a pin now lol

#70 Boggart

Boggart
  • Professional Napper

  • 7981 posts


Users Awards

Posted 07 October 2011 - 07:52 PM

lol... abradix

#71 JackiRate

JackiRate
  • 17 posts

Posted 07 February 2013 - 01:31 AM

Thank you for this.

 

Nice info!



#72 cmacx

cmacx
  • 9 posts

Posted 10 February 2013 - 08:32 AM

I dont know if this is what could have happened to me? Account was frozen when i tried to log in today and i wasnt on it for days



#73 cherbear

cherbear
  • 10 posts

Posted 02 March 2013 - 06:20 PM

Thanks - I always get sketched out when I see good items in shops for 1np or 10np. 



#74 Badger

Badger
  • 340 posts

Posted 03 March 2013 - 02:12 AM

I believe I was CGed on my main account before while I was on hiatus.

They had somehow gotten my password and my pin (neither were that easy to guess) and robbed me blind.

 

There is a new(?) feature I just noticed in the site preferences of Neo, I don't know if you guys know about it.

You are able to turn on a security feature (it says highly recommended -- I don't know why it isn't on by default) which requests your birthday if your account is attempted to be logged in from a foreign location.

 

I wouldn't think CGers would store birthday information since you very rarely input it, so I think it's pretty good protection... correct me if I'm wrong though.



#75 DoNotAnnoyMe

DoNotAnnoyMe
  • 157 posts

Posted 04 March 2013 - 06:21 AM

as someone grave-digged this already....

 

 

it is terrible to hear that cger can even have methods to break into banks and SDB even we have set PIN :sorry:

so I will not put my valuable items in my account ,and will transfer part of them to my side accounts ....

 

of course there's a way - it's called bruteforce (aka just try all possible PINs till you find the right one aka guessing) - there's just 10000 possible pins, so if it doesn't lock you out on misentering the pin too often it only buys you a little time (and possible the account being flagged)

 

 

Your guide is full of disinformation :|

 

pretty much this  :unsure:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users