Cookie Grabbers, hereto referred to as "CG" can make you lose your account before you even know its gone.
People have been getting CGd all over Neopets. Assuming you're immune and it won't ever happen to you is the first mistake to be made. People have been targeted specifically, people have just come across the wrong user lookup. In this guide I will attempt to explain how CGs work, why TNT hasn't done anything yet, and most importantly... How to protect yourself.
So How Is It Possible?
CGs are very basic coding that can be implemented into almost any page on most web pages, usually without you ever knowing that you've been nabbed. A bit of PHP, a dash of Javascript and you got yourself a CG. The PHP translates the personal information stored on your computer into a format that can be read and saved by the Javascript. Most recently Neopets has disabled PHP and Java across their site. So we should all be nice and safe now right? WRONG! Flatnukes (Flatnux for short) is a recent addition to the coding world and allows any scripts to be run regardless of whether or not the original coders attempted to block it. It was intended to be used so you wouldn't need to go through an entire page of code just to add in a bit of Java or XSS when you originally coded it to be blocked, more recently it has been used for more devious methods.
What Happens Once You're CG'd?
Once a CGer gets your cookie, there is still a process to get into the account and therefore, you have time to protect yourself as best you can. The information that was processed and snagged by the PHP/Java will be saved in a hashed fashion into a .txt file. Most sites aren't stupid enough to save a cookie in an ACCOUNT:PASSWORD fashion, most are a combination of login time, name, password, and any other odd information that will make unhashing the password even more difficult. This information is then encrypted, hashed, and saved on your harddrive until the CG manages to get a hold of it. Unhashing passwords and accounts is a process, and takes a bit of time (usually up to 3 or 4 hours with the help of a program). Once again, this is the time you should be added PINs and changing passwords, if you know you've been CG'd that is.
Does TNT Know About This?
They undeniably do, but stopping an entire coding language is a difficult process, and the fact that Flatnux has been made specifically to override said code makes it even MORE complicated. I'm sure they are working on getting it fixed, and have been at it for at least 3 months. The time for the exploit is running out, but it only takes a day to lose your account to a CG forever.
How Can I Protect Myself?
Here it is, the reason you're probably visiting this guide. The answer is extremely simple and you will likely be shocked at how easy it is to avoid being CG'd... Meet my good friend NoScript!
Chrome: https://chrome.googl...lpidmdajjpkkcfn
Firefox: https://addons.mozil...addon/noscript/
Edit: Props to Jibri for Chrome NotScripts.
If you're using IE/Safari I would highly suggest switching as neither of them offer access to a Java blocking option and you will ALWAYS be susceptible to CGs!
If there are any questions feel free to PM me and I promise to help you out to the best of my (and your) ability. This concludes the first guide from your friendly neighborhood Abradix! Expect to see more soon.
Edited by Abradix, 23 January 2011 - 11:16 AM.
