60 replies to this topic

[Waser Lave]

Apparently there's some cookie grabbers going around in Neomails recently so if you're concerned you might want to consider changing your Neopets site preferences to Plain Text Neomails or making it so only your Neofriends can send you mails for a while. As always, it's also best to use a PIN on the most valuable parts of your account if you really don't want to risk losing them.

http://www.jellyneo.net/

[Powerrrr]

Is Neopets ever going to fix this cookie grabber epidemic

[DragonEx]

Thanks for the heads up, good to know. *Starts inserting pin all over*

[KrawkLover]

Powerrrr, on 04 November 2010 - 04:19 AM, said:

Is Neopets ever going to fix this cookie grabber epidemic

people say that its quite impossible, because cookie function enables you to login; disabling the use of cookie function will make you log out every refresh... (not sure if its true)


I just wonder how ppl can enter a set of script into the mail and is able to pass the filter...

[Lineage]

Thanks for the heads up.
I stopped frequenting the Neoboards so I probably wouldn't have known otherwise.

*goes to change neomails to neofriend-only*

[soul__stealer]

KrawkLover, on 04 November 2010 - 04:40 AM, said:

people say that its quite impossible, because cookie function enables you to login; disabling the use of cookie function will make you log out every refresh... (not sure if its true)


I just wonder how ppl can enter a set of script into the mail and is able to pass the filter...

It is possible. It just requires them to do some better coding and prevent people from being able to use the type of code they can in order to CG (which means a bit of revamping is in order ooh-rah.

Supposedly this script is more than a simple CG script, and 'can retrieve your password' if you use your browser 'form saver' function and have your username/password stored.

[EzioAuditore]

Powerrrr, on 04 November 2010 - 04:19 AM, said:

Is Neopets ever going to fix this cookie grabber epidemic

If they spent their time fixing coding errors how would they ever have time to make new NC?!?!?!

[Faval]

soul__stealer, on 04 November 2010 - 05:11 AM, said:

It is possible. It just requires them to do some better coding and prevent people from being able to use the type of code they can in order to CG (which means a bit of revamping is in order ooh-rah.

Supposedly this script is more than a simple CG script, and 'can retrieve your password' if you use your browser 'form saver' function and have your username/password stored.

Well...isn't that just great. I have to say the guys who make the script are clearly better coders than the guys neopets hire

[bloomer]

thanks for warning now i`ll be careful to who isend mail

are there any steps to know if someone is spamming

[Abigail]

I don't understand how it can be done throuh neomail, unless they give you a link through neomail and you click on it...
is it even possible?

[soul__stealer]

Abigail, on 04 November 2010 - 06:02 AM, said:

I don't understand how it can be done throuh neomail, unless they give you a link through neomail and you click on it...
is it even possible?

No.

When a page is loaded on the internets, scripts are executed to perform functions... in most cases they are good (example this pages scripts allow you to have the dropdown bars for you UserCP etc)...

Most websites allow users to input information. Such as the neomail system (or codex post box). The problem is that due to the neohtml abilities, neopets has the flow in which users can take advantage of certain flaws in order to execute malicious scripts/codes. It's an oversite that Neopets seems to greatly ignore until it's too late.

[EzioAuditore]

soul__stealer, on 04 November 2010 - 06:17 AM, said:

No.

When a page is loaded on the internets, scripts are executed to perform functions... in most cases they are good (example this pages scripts allow you to have the dropdown bars for you UserCP etc)...

Most websites allow users to input information. Such as the neomail system (or codex post box). The problem is that due to the neohtml abilities, neopets has the flow in which users can take advantage of certain flaws in order to execute malicious scripts/codes. It's an oversite that Neopets seems to greatly ignore until it's too late.

Isn't it possible to put a link into a neomail and hide it with script though? I thought that's how it was actually happening to people.

[Noitidart]

Wow i heard this too. I didnt think it was true. Moved to news.

[Kraftwerk]

Thanks for the warning... I was a victim before and I don't want it to happen again -_-

[iargue]

Faval, on 04 November 2010 - 05:46 AM, said:

Well...isn't that just great. I have to say the guys who make the script are clearly better coders than the guys neopets hire

Usually just one person makes the script, and thousands of people known as "script kiddies" take the script and use it.

EzioAuditore, on 04 November 2010 - 06:22 AM, said:

Isn't it possible to put a link into a neomail and hide it with script though? I thought that's how it was actually happening to people.

What would the good of hiding a link be?

They just make a script so whenever you visit a Neomail, it automatically emails your cookie to them, so they just load up the cookie in the browser and have fun. Logging out and back in is greater then this method, because only one cookie is valid at a time.

[myob12345]

i'm not sure i understand how this works. so they write a script into the neomail and it executes when you open the mail? is it just a blank mail then? or do they write some nonsense?

would adblock (that blocks javascript) or noscript stop this at all?

[iargue]

myob12345, on 04 November 2010 - 04:52 PM, said:

i'm not sure i understand how this works. so they write a script into the neomail and it executes when you open the mail? is it just a blank mail then? or do they write some nonsense?

would adblock (that blocks javascript) or noscript stop this at all?

It can be either one. Usually some none sense to get you to open it.

And Noscript would stop it. Adblock would need to block the specific script.

[frostsnow]

Oh wow. This whole CG-ing business is really starting to do my head in. D:

Thanks for the warning.

*goes to change neomail settings*

[Philly]

Thanks for the heads-up *changes settings on plain text neomail*

[DragonX]

Thanks man

I gotta change my settings.

[Scot]

Next thing you know there will be neobeard cgs and tnt will disable all html. Please let this happen.

[Noitidart]

I think everything plain text would be just awesome. There's nothing wrong with it.

[Fayt]

There already have been a few Neoboard CG'ers apparently a month or so ago. They were in the trading boards and I saw one apparently on the pet trading board.

[Abigail]

Plain text will fix it?

[Faval]

Abigail, on 05 November 2010 - 07:51 AM, said:

Plain text will fix it?

Yes, setting your neomails to plain text will prevent the scripts from going off in your neomail. Unless you meant something else?