Sat Dec 09, 2006 10:11 pm
Set your pins, that's the best you can do.
I'm always curious as to how this gets so easily exploited. What is it about NP's system that makes it so vulnerable to insertion of malicious code?
Well, no matter. I can have fun on the site playing games and challenging myself that way.
I'm always curious as to how this gets so easily exploited. What is it about NP's system that makes it so vulnerable to insertion of malicious code?
Well, no matter. I can have fun on the site playing games and challenging myself that way.
Sat Dec 09, 2006 11:29 pm
shapu wrote:I'm always curious as to how this gets so easily exploited. What is it about NP's system that makes it so vulnerable to insertion of malicious code?
Mm, I dunno. I'm guessing it's the degree to which they allow us to personalise our pages. I think anywhere where a user is able to insert something into an HTML page is vulnerable, and it'd be so difficult to filter through all the HTML and CSS and pick out whether something's dodgy or not.
I wonder if sites like MySpace or LJ have similar security issues? (since they allow personalisation of pages too) I know LJ had one a few months back ... I guess it's nowhere near as tempting for people to hack into accounts on those sites though.
--
Edit: It's a pity that TNT don't post something on the news, when CG-ers find a new exploit like this and are actively threatening people (more than usual).
I tend to ignore posts on the Neoboards (and even here, a bit
) because things sometimes get a bit hyped up. But if it's something more serious, and TNT is actually working to fix it as we speak... that's a bit different.
Sun Dec 10, 2006 4:34 am
Eeep! *goes into super paranoid mode* Well so much for my plan to work on buying junk for the pack rat av tonight. Oh well that can always wait.
I'm wondering... cookie grabbers are script right? So if you disable scripts temporarily for neopets.com, would you be safe? Or does this new exploit possibly work another way? In any case, I'm not taking any chances.
I'm wondering... cookie grabbers are script right? So if you disable scripts temporarily for neopets.com, would you be safe? Or does this new exploit possibly work another way? In any case, I'm not taking any chances.
Sun Dec 10, 2006 4:37 am
If you disable scripts for Neopets in general, not just their ads, you'll find most of the site to be inaccessible. You might as well stick to playing games, or stay away for a while.
Sun Dec 10, 2006 5:08 am
Huggles wrote:If you disable scripts for Neopets in general, not just their ads, you'll find most of the site to be inaccessible. You might as well stick to playing games, or stay away for a while.
Yes I know that, I was just curious IF disabling scripts would make you invulnerable. Just for pure curiosity's sake. Like I said, I don't plan to visit any shops, lookups, etc, until TNT fixes this, whether that's the case or not.
Although I do occasionally turn scripts off temporarily on neopets when visiting user created pages, when something seems fishy to me, or if I have a paranoid moment. XD It's very easy for me to turn scripts on and off quickly so I can go back and forth, if I want to.
Edit:
Haha! And of course now I get a faerie quest! XD
Sun Dec 10, 2006 7:31 am
I'm always paranoid about cookie grabbers. I rarely visit pet/lookup pages and only visit user shops when I need something (restocking/quests). Plus my passwords/PIN#'s are very hard to guess.... even for people that know me well.
At least that way I feel safe when there are CG scares. You can never be completely protected, but you can at least be prepared.
At least that way I feel safe when there are CG scares. You can never be completely protected, but you can at least be prepared.
Sun Dec 10, 2006 7:47 am
mazil wrote:I wonder if sites like MySpace or LJ have similar security issues? (since they allow personalisation of pages too) I know LJ had one a few months back ... I guess it's nowhere near as tempting for people to hack into accounts on those sites though.
There's one on myspace at the moment, something to do with shockwave i think.
Sun Dec 10, 2006 10:21 am
Personalization is only part of the problem. The real issue is what is stored in the cookies they send out. Neopets is a terrible mess code/security-wise. The problem with the cookies password-wise is that they have a cookie (toolbar=username%2BC%2BpasswordMD5hashed) which can only be "grabbed" and read by code from neopets.com.
The problem is two fold. MD5 sucks for, though it is widely used for it, securing transmitting passwords. The other problem is the power of actionscript in flash. Though I don't believe it should be able to "grab" a cookie unless the flash itself is hosted on the neopets.com domain. I'm fairly certain most browsers would prevent this.
And also Cross Site Scripting exploits are NOT limited in ANY way to Neopets. Though I would recommend some serious changes for the way they handle security -- ESPECIALLY with premium having launched. They cannot think to charge people while using cookies with a clearly MD5 hashed password going back and forth with each transaction (packet sniffer paradise). I know people still swear by MD5, but at least neopets could salt the password or something.
blah!
The problem is two fold. MD5 sucks for, though it is widely used for it, securing transmitting passwords. The other problem is the power of actionscript in flash. Though I don't believe it should be able to "grab" a cookie unless the flash itself is hosted on the neopets.com domain. I'm fairly certain most browsers would prevent this.
And also Cross Site Scripting exploits are NOT limited in ANY way to Neopets. Though I would recommend some serious changes for the way they handle security -- ESPECIALLY with premium having launched. They cannot think to charge people while using cookies with a clearly MD5 hashed password going back and forth with each transaction (packet sniffer paradise). I know people still swear by MD5, but at least neopets could salt the password or something.
blah!
Sun Dec 10, 2006 11:32 am
wow, how do you know so much about it?
Sun Dec 10, 2006 12:13 pm
My guess is that spudge is quite knowledgable when it comes to computers 
Sun Dec 10, 2006 1:52 pm
I'm taking all the precautions. But how do we know when it's safe again? Neopets has not, in the past, been helpful in either acknowledging problems like this or giving an all clear.
Sun Dec 10, 2006 3:41 pm
I'd say wait till Tuesday.I'm not going to any shops,lookups or new Petpages today.marccaty wrote:I'm taking all the precautions. But how do we know when it's safe again? Neopets has not, in the past, been helpful in either acknowledging problems like this or giving an all clear.
Sun Dec 10, 2006 6:25 pm
Neopets did post in the editorial about the trading post cookie grabber issue. Hopefully they'll put it in the news this time.
As much as it pains me to say this, I wonder if TNT will have to disable user customized shops, lookups, and petpages. Instead of doing it ourselves, they could have a form to fill out with our text and colours of choice. (which wouldn't be half as good, but maybe it would be safer)
As much as it pains me to say this, I wonder if TNT will have to disable user customized shops, lookups, and petpages. Instead of doing it ourselves, they could have a form to fill out with our text and colours of choice. (which wouldn't be half as good, but maybe it would be safer)
Sun Dec 10, 2006 7:22 pm
If you guys want to disable cookie grabers,and you have IE,go to Tools,Internet Options,Privacy and bring the Settings bar to the top.
Sun Dec 10, 2006 10:24 pm
yvonne_l_d wrote:As much as it pains me to say this, I wonder if TNT will have to disable user customized shops, lookups, and petpages. Instead of doing it ourselves, they could have a form to fill out with our text and colours of choice. (which wouldn't be half as good, but maybe it would be safer)
I really hope they don't consider doing that! >.< They should make there security better instead.