Quantcast

Jump to content


Photo

Neomail Cookie Grabbers


  • Please log in to reply
60 replies to this topic

#26 vrtx

vrtx
  • 170 posts

Posted 06 November 2010 - 02:05 PM

Well, I've just recently come back to Neopets after a 3-4 year break. I just found out about these cookie grabbers, and apparently today my account was compromised. Password and email changed. (My dumbass self apparently didn't have a PIN on the account).

Now for the crappy part, (and perhaps the account was compromised in a different way), but the only neomails I have received recently are from two members of this website. (People I had purchased neopets stuff from, these last 2-3 weeks).

I really hope that the people I suspect aren't actually behind this.

#27 Waser Lave

Waser Lave

  • 25516 posts


Users Awards

Posted 06 November 2010 - 02:09 PM

They wouldn't be able to change your password or email from a cookie grabber so you lost your account some other way.

#28 vrtx

vrtx
  • 170 posts

Posted 06 November 2010 - 02:14 PM

They wouldn't be able to change your password or email from a cookie grabber so you lost your account some other way.



Fantastic. Looks like I have a keylogger.. All my other accounts are fine however.

#29 Waser Lave

Waser Lave

  • 25516 posts


Users Awards

Posted 06 November 2010 - 02:15 PM

Fantastic. Looks like I have a keylogger.. All my other accounts are fine however.


Or they could have got it from somewhere like a hash list.

#30 vrtx

vrtx
  • 170 posts

Posted 06 November 2010 - 02:16 PM

Or they could have got it from somewhere like a hash list.


Sorry, not familiar with the lingo. :x What's a hash list?

#31 Waser Lave

Waser Lave

  • 25516 posts


Users Awards

Posted 06 November 2010 - 02:18 PM

Sorry, not familiar with the lingo. :x What's a hash list?


If you've got any accounts on places like Neopets help sites (Jellyneo, thedailyneopets etc) then occasionally people exploit vulnerabilities in those sites and export the database information. They can then use that information to crack the passwords and steal Neopets accounts.

#32 vrtx

vrtx
  • 170 posts

Posted 06 November 2010 - 02:21 PM

If you've got any accounts on places like Neopets help sites (Jellyneo, thedailyneopets etc) then occasionally people exploit vulnerabilities in those sites and export the database information. They can then use that information to crack the passwords and steal Neopets accounts.


Damn, not even.. The only website I frequent is this one. And it's funny to say, since everyone here is either a cheater or a hacker, but I kind of trust you guys =p

#33 Plunk

Plunk
  • Official Neocodex Dollface

  • 545 posts


Users Awards

Posted 06 November 2010 - 03:22 PM

Of course you do, these are good people. They're not hackers, they're programmers. Calling them cheaters and hackers is kind of an insult. It's more... exploiters and programmers.
On topic: Yeah, I ended up getting CG'd the other day... glad I had pins on everything but on hand NP... I don't have much in the bank now but I only keep 50K on hand. Plain text setting it is.

#34 yoongguk

yoongguk
  • 534 posts

Posted 06 November 2010 - 06:17 PM

Who neomails in fancy colours and shit, anyway?

#35 Noitidart

Noitidart
  • Neocodex Co-Founder

  • 23214 posts


Users Awards

Posted 07 November 2010 - 10:24 AM

Who neomails in fancy colours and shit, anyway?

Haha you're right. If you do so weird colors somethings up. :p

#36 hello123

hello123
  • 5 posts

Posted 05 January 2011 - 06:37 AM

So does this exploits still going on now or is it fixed?

Anyway this exploit is call Cross Site Scripting :)

I guess it's that neomail doesn't have script tag properly filtered, and the hackers managed to find a way to bypass the filters and craft a javascript to post our cookie through document.cookie method and posting at some website of theirs.

Anyway, neither than disabling neomail from friends only, you can also choose to disable running your javascript for your browser to protect yourself. However this is not recommended as many websites, including neopets runs javascript, so disabling the option might let some functions not able to run properly. Neopets should consider using HTTP-only cookies to prevent any future XSS attacks as nowadays most people have their browsers updated, so it will prevent most people from getting attacked by XSS exploits.

#37 bakedpotato

bakedpotato
  • 153 posts

Posted 05 January 2011 - 10:46 AM

just saw this and got worried. I clicked on a neomail from someone I don't know, saying they 'just wanted to say hi',,,

this got me all worried, guess i'll just change my password while nothing has happened yet. Posted Image
thanks for bumping this up cus i wouldn't have seen it and could have got my stuff stolen!

#38 Rakkier

Rakkier
  • 3 posts

Posted 05 January 2011 - 05:38 PM

Would it possibly be a little safer if we clicked the "See all events" button before opening the neomail? to get a little sneak peak on whats inside to make sure its from a friend before we officially fully open it?
or does it not matter?
thanks for the info though, pinning up my account~

Edited by Spitmo, 05 January 2011 - 05:38 PM.


#39 hello123

hello123
  • 5 posts

Posted 06 January 2011 - 04:11 AM

The more effective way of stopping it was to enable 'Plain text Neomails only'.


You can't do 'Plain text Neomail only' since it's on HTTP browser. HTTP browser does "HTTP GET" method to retrieve HTTP data through port 80 from the web server, the web server sends out the correct plaintext data according to what your browser requested. Your browser crafts out the plaintext data into application level to display the output to your browser.

The browser reads HTML codes and output, codes such as script tags are also in HTML code, therefore if someone is able to write script tag to be send in plaintext, the browser will automatically read it as a script and launches the script. This is how XSS attack works. How they defend against XSS attack is through filtering of tags, like filtering the word script, < >, &lt, &gt, %60 and etc. And how the XSS filtering works is crucial, there are ways to bypass the filter if the filter is not properly coded to look for all possibles ways to block out the script tag 'plain text word' to be POST.

This is how the recent neomail steals your cookies by POST you a neomail with text that crafts out a script tag for HTML to read it as running a script, so your browser then launches the script and it appear to do some POST-ing of your cookie to somewhere through the document.cookie function in javascript to retrieve the current cookie you are using.

However setting HTTP-only parameter for cookies if only your browser supports, will block the XSS attacks. As document.cookie is the command to retrieve your cookie, the command is actually a javascript function. So making the login cookie to be HTTP-only restrict access to the cookie file through HTTP only, therefore javascript has no privilege right to retrieve the login cookie, and therefore using document.cookie javascript command couldn't retrieve the login cookie data as the client javascript does not have the privilege to do so. As the cookie can only be read and used by HTTP only.

That's how you block the XSS script, however your browser must be supporting the use of HTTP-only parameter, if not it won't work. But nowadays most browsers supports it, it's just that the developer isn't implementing it for extra precaution against XSS attack.

#40 iargue

iargue
  • 10048 posts


Users Awards

Posted 06 January 2011 - 05:36 AM

You can't do 'Plain text Neomail only' since it's on HTTP browser. HTTP browser does "HTTP GET" method to retrieve HTTP data through port 80 from the web server, the web server sends out the correct plaintext data according to what your browser requested. Your browser crafts out the plaintext data into application level to display the output to your browser.


At this point, I will just simply correct you, and leave it at that.

If you go to your preferences in neopets, then you get this handy option.
Posted Image

what this does is whenever someone send you a Neomail, the server removes all html tags inside the Neomail, and sends it to you.

So this 100% prevents all Cross Site Scripting, thanks to the fun fact that no one can send you any html code at all. Its just like running No Script.

I'll leave the rest of your copy posted explanation, because its mostly correct.

#41 Vizkiu

Vizkiu
  • 501 posts

Posted 17 January 2011 - 10:49 AM

I can block so would not get messages with CG?

#42 Ziz

Ziz
  • 936 posts

Posted 17 January 2011 - 11:15 AM

I can block so would not get messages with CG?


If you refer to blocking the scripts on your preferences (what Iargue posted), you won't receive any Nm with cookie grabbers.

#43 CuriousOyster

CuriousOyster
  • 371 posts

Posted 17 January 2011 - 01:08 PM

just saw this and got worried. I clicked on a neomail from someone I don't know, saying they 'just wanted to say hi',,,

this got me all worried, guess i'll just change my password while nothing has happened yet. Posted Image
thanks for bumping this up cus i wouldn't have seen it and could have got my stuff stolen!


Yeah i got one just like this and it got me pretty freaked out after reading this..
Thanks for the heads up guys :p

#44 Tigerzz

Tigerzz
  • 160 posts

Posted 17 January 2011 - 01:44 PM

Thanks very much guys :|
I've had a lot of weird things happen to me on neo recently, like weird messages from newbies and stalkers on the boards saying there gonna kill me and shit.
Neo keeps getting better at scaring me, so i'm gonna change my password like every week or so. It's annoying thinking of a totally different one every time though.

#45 CuriousOyster

CuriousOyster
  • 371 posts

Posted 17 January 2011 - 06:27 PM

Uhm.. This is kinda interesting.
I keep getting neomails from myself on my shells but nothing is missing from my account.
My girlfriends account is also sending me neomails yet it isnt her sending me the messages.
Does anyone know why this is happening?
Its kinda scary.. :lookaround:

Edited by Microlight, 17 January 2011 - 06:27 PM.


#46 Ziz

Ziz
  • 936 posts

Posted 17 January 2011 - 06:32 PM

Uhm.. This is kinda interesting.
I keep getting neomails from myself on my shells but nothing is missing from my account.
My girlfriends account is also sending me neomails yet it isnt her sending me the messages.
Does anyone know why this is happening?
Its kinda scary.. :lookaround:


Either you are entering on your sides while you are high, or someone got your passwords.
Posted Image

#47 Icey Defeat

Icey Defeat
  • 8298 posts


Users Awards

Posted 17 January 2011 - 06:40 PM

Thanks for the tip!

#48 jaredennisclark

jaredennisclark
  • 838 posts

Posted 17 January 2011 - 11:31 PM

Uhm.. This is kinda interesting.
I keep getting neomails from myself on my shells but nothing is missing from my account.
My girlfriends account is also sending me neomails yet it isnt her sending me the messages.
Does anyone know why this is happening?
Its kinda scary.. :lookaround:


What do they say?

#49 CuriousOyster

CuriousOyster
  • 371 posts

Posted 18 January 2011 - 11:38 AM

What do they say?

Fortunately i haven't gotten any today.
But when i was getting them they would often come in a set of 5 messages saying "Hello" and "Are you on?"
It seemed very odd to me so i set up a pin on each of my accounts and changed my password, along with doing all the saftey precautions above in this thread to secure my accounts.

#50 Ninetales

Ninetales
  • 52 posts

Posted 18 January 2011 - 05:46 PM

Wow. Really? That is going to be such an inconvenience. Thanks for the heads up. Is it ok to warn other friends about this?? They don't use the site, but I would like to give my guildies the heads up.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users