78 replies to this topic

[Noitidart]

Alright so there is word floating around that cookie grabbers (CGs) are back. For those of you that don't know what CG's are they allow other people to steal your sessions. So they can get in your account and steal stuff, most likely they will not be able to lock you out of your account (by changing your password/email) but there is like a 5% chance they can.

First thing you should do is change your sessions cookie. Logging out then logging back in should be enough to change your session cookie but you can just change your password. It's good practice to change your password though so I would recommend that.

To further avoid this try not to buy often from usershops. If you have to, then disable your javascript first. This is most likely a way to prevent it.

To enable/disable JavaScript in Firefox 2.xx or 3.xx series
1. Open Firefox.
2. On the Tools menu, click Options.
3. Click on the Content icon. (Fig. 1)
4. Check the box next to Enable JavaScript. Uncheck it to disable. (See image below)
5. Click OK.


Edit by iargue: You can use the programs on here that use the usershops, that is safe.

[Waser Lave]

Use pins on everything valuable too.

[Noitidart]

Oh yeah that's real important. Thanks laser man I forgot to mention that. Pin pin pin! Super important. The pin idea was genius of TNT.

[lua]

Thank you (:
I just changed my pass the other day, should I do it again? And my PIN is right where it should be, also.

[vin]

oh noooo. not that craziness again.

last time was insane *___*

everyone was constantly paranoid from them

[Scot]

Usershops? I thought rogue code was disabled on TNT. Do I have to worry about it onsite or is this an offsite phenomenon?

[iargue]

Usershops? I thought rogue code was disabled on TNT. Do I have to worry about it onsite or is this an offsite phenomenon?

TNT fails and lets the exploit get through. Its usually done by a faux image or link that runs the js when you load the page.

Worry about it in user shops always.

[Noitidart]

Argues right. Usershops is like number 1 especially codestones. Second would probably be anything else they can skin. User look ups and definitely definitely pet pages.

Thank you (:
I just changed my pass the other day, should I do it again? And my PIN is right where it should be, also.

If you visited any one of the 3 above I would do it just to be safe. Or you can just logout then login.

[Xwee]

Thank you Noit for alerting us to this and giving a brief but efficient guide on avoiding them. Your post deserves a plus *complies*.

For an added note, does staying logged in keep me in danger cause for sites that I visit (Kaibutsu, Neocodex, Neopets, Proboards) I do not log out, the only time my account gets logged out of is if blaze logs onto one of his on the same site. Is this endangering me and should I now begin to start logging out when I am no longer at the site (or at least at neopets)?
With my recent pet customs I have a feeling I may be a CG target as one of my guild members has been begging and trying to sell me stuff as of late. Thanks again.

[iargue]

Also. Do not worry about our programs that use User Shops.

Our http wrapper does not execute Javascript(Or any other language), and thus is safe from any form of exploit again it.

Thank you Noit for alerting us to this and giving a brief but efficient guide on avoiding them. Your post deserves a plus *complies*.

For an added note, does staying logged in keep me in danger cause for sites that I visit (Kaibutsu, Neocodex, Neopets, Proboards) I do not log out, the only time my account gets logged out of is if blaze logs onto one of his on the same site. Is this endangering me and should I now begin to start logging out when I am no longer at the site (or at least at neopets)?
With my recent pet customs I have a feeling I may be a CG target as one of my guild members has been begging and trying to sell me stuff as of late. Thanks again.

For all intents and purposes, you cont do a cross site cookie grab (Most of the time). Because you need to have your code executed on the trusted site.

This works on neopets, because your browser visits neopets and run that script, using your neopets cookie.

Now, if someone made one and posted it on another forum (Not this one. We are too sexy). They could steal your cookie from that one, and just try and guess your username/password from what they have on you. They do this alot (Aka Hash Lists).

So always make sure your username and password are different then they are on neopets.

[Xwee]

Also. Do not worry about our programs that use User Shops.

Our http wrapper does not execute Javascript(Or any other language), and thus is safe from any form of exploit again it.




For all intents and purposes, you cont do a cross site cookie grab (Most of the time). Because you need to have your code executed on the trusted site.

This works on neopets, because your browser visits neopets and run that script, using your neopets cookie.

Now, if someone made one and posted it on another forum (Not this one. We are too sexy). They could steal your cookie from that one, and just try and guess your username/password from what they have on you. They do this alot (Aka Hash Lists).

So always make sure your username and password are different then they are on neopets.

You didn't answer my main question, should I worry and start logging out of neopets just to be safe or will it harm my computer as I hadn't logged in that day? (the reference to the others was just to show how many sites I never log out of)

[Noitidart]

That was an issue we had last time and we tested it. It takes about 2-? refreshes to reset the session cookie. It's still not proven but to be on the safe side do a quick logout/login.

Argue that's a great point Ill add it to the topic post. You can still use programs that access usershops.

[Zacharus]

Thanks Noit Noscript activated

[devil669988]

damn that sucks and i thought that was the end of that before.

[Noitidart]

Thanks Noit Noscript activated

During the last bout of CGs I heard Noscript didn't work. You need to go through and manually uncheck that box.

[Zacharus]

During the last bout of CGs I heard Noscript didn't work. You need to go through and manually uncheck that box.

Awww k thanks for the heads up

[iargue]

You didn't answer my main question, should I worry and start logging out of neopets just to be safe or will it harm my computer as I hadn't logged in that day? (the reference to the others was just to show how many sites I never log out of)

Yessss I did. Cross site scripting wont work. It needs to be executed on the neopets.com domain.

[artificial]

Also. Do not worry about our programs that use User Shops.

Our http wrapper does not execute Javascript(Or any other language), and thus is safe from any form of exploit again it.

For all intents and purposes, you cont do a cross site cookie grab (Most of the time). Because you need to have your code executed on the trusted site.

This works on neopets, because your browser visits neopets and run that script, using your neopets cookie.

Now, if someone made one and posted it on another forum (Not this one. We are too sexy). They could steal your cookie from that one, and just try and guess your username/password from what they have on you. They do this alot (Aka Hash Lists).

So always make sure your username and password are different then they are on neopets.

What do you think XSS stands for? If you're implying you can't grab the cookie of another site without any malicious code being present on said site then well done stating the obvious.

I'd honestly be surprised if the vulnerability was in something as large as user shops. While I don't play Neopets, I'm willing to be all javascript would be filtered. It either sounds like an XSS attack, or an actual Javascript vulnerability that is most likely on a remote section of the website.

However, if anybody happens to notice their browser connecting to a suspicious remote server, please copy the page source and post it so we can identify the exploit

[iargue]

What do you think XSS stands for? If you're implying you can't grab the cookie of another site without any malicious code being present on said site then well done stating the obvious.

I'd honestly be surprised if the vulnerability was in something as large as user shops. While I don't play Neopets, I'm willing to be all javascript would be filtered. It either sounds like an XSS attack, or an actual Javascript vulnerability that is most likely on a remote section of the website.

However, if anybody happens to notice their browser connecting to a suspicious remote server, please copy the page source and post it so we can identify the exploit

Yes. Well done stating the obvious . Since someone asked that question and I answered their question... Trolling?


And. The vulnerability -is- in the user shops. TNT fails at coding. Most likely its loading a fake image, which runs the javascript. Or it could be anything really. TNT is horrible when it comes to security.

[PlanB]

Dont forget to change your email PW every once in a while.

[iomega]

ahh thanks for the heads up... note to self: avoid usershops for the next couple of days...

[Shadowfool]

oo scary scary T_T

[Puppetmaster]

Added PIN... thanks for the heads up!

[Scot]

With any luck maybe they'll finally disable html in usershops and we won't have to deal with all those mall banners and Geocities style layouts

[Zacharus]

If it comes to worse I think they'lll disable... what will happen to my fancy shop layout which isn't eye-piercing to everybody