The All Clear?
Fri Jan 06, 2006 10:47 pm
I was just wondering if that whole cookie grabber thing had blown over? I've not really been playing neopets the last couple of days so I'm a bit out of the loop 
But I have a pet waiting for just one more codestone in the Academy so I'd really like to know - is it secret? Is it safe?! </Gandalf>
But I have a pet waiting for just one more codestone in the Academy so I'd really like to know - is it secret? Is it safe?! </Gandalf>
Fri Jan 06, 2006 10:56 pm
I've been cruising the AC for a while and I haven't heard anything about it so I think its all clear. I've looked at a few Petpages and Userlookups and so far I'm fine. (*knocks on wood*)
Fri Jan 06, 2006 10:59 pm
What I always wondered... Do these CG's actually target accounts, or are they completely random? Cause currently, if they were targeting, I think there'd be a whole lot of accounts more interesting than mine.
Fri Jan 06, 2006 11:29 pm
Cookie Grabbers go on customizable web pages (e.g. Shops, User Lookups and Pet Pages) and anyone who visits one with one on will have their cookies grabbed. It doesn't target, per se.
Cookie Grabbers' code looks rather distinctive, so there is one on the page and you know a programming language, you should be able to see it there. If you do, then it's safe but always change the password. Heck, to be safe change your password whenever you look at a customizable page, if you're paranoid
Cookie Grabbers' code looks rather distinctive, so there is one on the page and you know a programming language, you should be able to see it there. If you do, then it's safe but always change the password. Heck, to be safe change your password whenever you look at a customizable page, if you're paranoid
Sat Jan 07, 2006 3:33 am
Yeah I'm wondering if it is all clear myself too. If it is I want to log in my account and start voting in the beauty contest. It's a bummer if I can't trust pet pages and look-ups.
Odd that I couldn't log into my main account today. I thought I knew the password but it failed to work. I sent a request for a change, but haven't gotten an email.
I hadn't seen any notification in my email account that my password had changed these last two days so maybe I genuinely forgot, but still it's odd.
The lack of resonse from TNT is making me very uneasy.
Edit: I tried again this time using the email form and got a reply. It's my own doing. I had changed it.
No wait a second, I did not change it. It's the keyboard I'm using. Some of the characters the keyboard can't type. That makes sense. This keyboard needs to be replaced.
I get paranoid easily. >_>
Odd that I couldn't log into my main account today. I thought I knew the password but it failed to work. I sent a request for a change, but haven't gotten an email.
I hadn't seen any notification in my email account that my password had changed these last two days so maybe I genuinely forgot, but still it's odd.
The lack of resonse from TNT is making me very uneasy.
Edit: I tried again this time using the email form and got a reply. It's my own doing. I had changed it.
No wait a second, I did not change it. It's the keyboard I'm using. Some of the characters the keyboard can't type. That makes sense. This keyboard needs to be replaced.
I get paranoid easily. >_>
Sat Jan 07, 2006 4:31 am
Apparently if you update your Internet Explorer it fixes the problem. There is a new fix at the Microsoft site.
Sat Jan 07, 2006 4:37 am
What about those using Firefox or other browsers? Or is the IE update in response to the Microsoft security hole?
Sat Jan 07, 2006 5:05 am
The update that's been mentioned has to do with Windows and how it would view certain images. There was a bug found and people could hack your computer if you viewed/opened a certain image.
Either way, to fix it, go to: http://update.microsoft.com/
It only had to do with Windows. And it doesn't matter what browser you use, the patch will fix the problem. (But you will need IE to do the update.)
Either way, to fix it, go to: http://update.microsoft.com/
It only had to do with Windows. And it doesn't matter what browser you use, the patch will fix the problem. (But you will need IE to do the update.)
Sat Jan 07, 2006 5:57 am
Thanks. I'll check to see if it installed on this machine. It may have already updated when my mom it set up (it has an auto update setting enabled), but it doesn't hurt to check, right?
edit:
Ok Good to go. I probably need to do the update on my own computer.
edit:
High-priority updates
No high-priority updates for your computer are available. To check for optional updates, return to our home page and click Custom.
Ok Good to go. I probably need to do the update on my own computer.
Sat Jan 07, 2006 11:04 am
IcyBlue wrote:The update that's been mentioned has to do with Windows and how it would view certain images. There was a bug found and people could hack your computer if you viewed/opened a certain image.
Either way, to fix it, go to: http://update.microsoft.com/
It only had to do with Windows. And it doesn't matter what browser you use, the patch will fix the problem. (But you will need IE to do the update.)
i believe you're talking about [url=http://www.microsoft.com/technet/security/advisory/912840.mspx]this[/a] (microsoft.com link), which i'm pretty sure wasn't related to the neopets issue?
at any rate, i wanted to provide the link because it was just yesterday (two days ago, now, actually) that microsoft was ready to respond, and it's an issue that affects many many people.
Sat Jan 07, 2006 3:57 pm
Yes that was an unrelated problem from the neopets thing (though people should go get the critical update as always).
I'm going to assume it's all over as everything has gone rather quiet, and they did say a while back that the gap had been closed. Hurrah
I'm going to assume it's all over as everything has gone rather quiet, and they did say a while back that the gap had been closed. Hurrah
Sun Jan 08, 2006 7:34 am
I never knew about this issue until i read this. 
It has never effected my account before though. So I feel safe on neopets. 
It has never effected my account before though. So I feel safe on neopets.
Hackers...
Sun Jan 08, 2006 10:41 am
The MS update is important to get because it was a particularly bad security hole that would have been easy to exploit. MS got an official update out very quickly, though. The problem has only been known in security circles for a little over a week, so it hasn't had the opportunity for exploits to become very widespread. I'm not sure if it's been a problem on neopets or not. I've seen some suggesting they were including code in images, and I think this might be the only known way to do that. I suspect that's just talk, but it's possible that's been done in the last week, as it apparently isn't too hard to get an example copy of one of these images and pretty much drop in whatever code (including any known trojan, or other exploit) you wanted to execute.
There seems to have been another flurry of stolen accounts tonight (just when things were seeming to calm down). I think there seems to be more problem on weekends when there isn't TNT staff to deal with problems and block them, possibly also because these are probably kids in school during the week.
Some are reporting they're getting prople to chat on MSN or AIM and somehow getting into hotmail accounts (which some use as their e-mail). Some are apparently falling for links to scam off-site websiites. There are many ways they could be getting information there. It's not clear whether these sites are expoiting a flaw that allows them to get cookies (there's am older flaw in some unupdated IE versions that could), whether their persuading people to download trojan software, or fooling people with spoofed neopets pages. They could be getting people to register on sites, and then exploit that in some ways. Some might use the same password on multiple sites (including neopets). If they get a registration e-mail, they could later send a spoof e-mail that appears to come from neopets.
What's a shame is that there are many legit fan sites (like this, or idb), that many users new to them are now afraid to visit. Technically, it might even be against the rules to post urls to such sites on the neoboards. I hope, while they're cracking down on the abuses, that they don't go overboard and go after people posting links to good sites.
There seems to have been another flurry of stolen accounts tonight (just when things were seeming to calm down). I think there seems to be more problem on weekends when there isn't TNT staff to deal with problems and block them, possibly also because these are probably kids in school during the week.
Some are reporting they're getting prople to chat on MSN or AIM and somehow getting into hotmail accounts (which some use as their e-mail). Some are apparently falling for links to scam off-site websiites. There are many ways they could be getting information there. It's not clear whether these sites are expoiting a flaw that allows them to get cookies (there's am older flaw in some unupdated IE versions that could), whether their persuading people to download trojan software, or fooling people with spoofed neopets pages. They could be getting people to register on sites, and then exploit that in some ways. Some might use the same password on multiple sites (including neopets). If they get a registration e-mail, they could later send a spoof e-mail that appears to come from neopets.
What's a shame is that there are many legit fan sites (like this, or idb), that many users new to them are now afraid to visit. Technically, it might even be against the rules to post urls to such sites on the neoboards. I hope, while they're cracking down on the abuses, that they don't go overboard and go after people posting links to good sites.
Sun Jan 08, 2006 1:25 pm
What I don't understand is... How the hell can things like this even affect the Neopets site. The cookie grabber comes along, and surely (if Neopets has any sense) it will grab a hashed password; not a password. And surely (again, if Neopets has any sense), their hash will be unbreakable, and therefore, you should just have to brute force it for any collisions, hich will take as long as just brute forcing the entire password anyway...
Mon Jan 09, 2006 12:00 am
Matt wrote:What I don't understand is... How the hell can things like this even affect the Neopets site. The cookie grabber comes along, and surely (if Neopets has any sense) it will grab a hashed password; not a password. And surely (again, if Neopets has any sense), their hash will be unbreakable, and therefore, you should just have to brute force it for any collisions, hich will take as long as just brute forcing the entire password anyway...
You can probably still masquerade as the user by planting the cookie on your own computer. I'm sure the Neopets server doesn't remember users based on IP......there's no way to query MAC address right?
Also, I think I heard that it's possible to store all hash possibilities of a 7-letter password into a hard drive and break it. A quick calculation with (26^7*8 / 2^30) produces searching through something like 60 GB - certainly not impossible to do.
I doubt the cookie contains a hash of just the password though - they probaby hash something like username-date-time-randomintegers and store that into the cookie and a their own local database.