Pink Poogle Toy Forum

I'm terrified of all these scams... I can't bear the thought of losing my pets, petpets, and accumulated junk! I'm seriously considering setting up a side account specially for shopping/browsing user pages.

But is using an account to shop and then transfering the items to my main within Neopet's rules?

First of all, yeah it's real. I saw some of this happening two nights ago on the battledome board where they were giving away really expensive items from other peoples accounts. I also saw one of the users on last night who's account had been hacked. This guy was a long time user - said he ost over $300 Million in np & items. This is a guy I've seen on that board before, saw the account when the thief was in it, and I believe when he says he lost that much. As he described it, they had broken into at least 4 very valuable premium accounts and transferred alot of items to smaller accounts that had also been compromised, before giving them away, or selling them cheap. He said he didn't know when he had visited the cookie grabber. And, sadly, said no one had yet returned anything, though friends had given him some things. Which made me wich I had tried to get an item. Most people didn't for fear of being frozen.

One key point I'd like to make is that clearing cookies does very little. Once they have a copy of your cookies it's too late. They can copy the cookies to their browser, and they're logged into your account. Plus, the cookies have to be active to use the site - so they're recreated as long as you're logged in. And if they are really able to insert it on the site itself (in shops or petpages) it probably doesn't matter what browser you use. What you can do to be safe is change your password if there's a chance you've visited one of these. Once the password is changed, the old cookie should no longer work. So if you suspect something is wrong, change the password first, then check your email (if that's been altered they could have a password sent). And if you use IE 5.5 or 6.0, make sure you have the latest security update (as there had been a hole there which could have allowed off-site cookies to be read).

It might be possible to change the pasword before doing any shopping, and then change it back when your done, but it would also be a nuisance. Using a backup account to do all shopping might be possible; I don't know if there's a problem with transfering NP, but as long as your not selling, playing games, earning np, doing quests, etc, it seems that should be within the rules...though how you transfer your np I'm not sure. I think it might be a good question to send to the editorial though, can you use a spare acount to do your shopping?

I'm still not certain how they're getting into these accounts; a way to get javascript to work seems plausible enough, but I wouldn't just take anyone's word for it either. One person told me they were embedding php into an image file, which supposedly had a file ending like .php?.gif - which doesn't quite make sense to me. I can understand how code could be embedded in some image formats, don't understand how it would be executed. My knowledge is limited though.

The thief was posting under the user name drink_bawls 2 nights ago when I saw this; this was probably just another compromised account. I coppied the user lookup and found nothing there; didn't check the petpage or shop - but it looked like a backup account - so there's probably nothing there. I changed my password immediately after just to be sure.

I know this won't make me popular, but this is exactly why I am against html in shops, user lookups, etc.

I wonder if TNT can "review" the customized pages before turning them loose on the public -- i.e., if someone wants to make a grand user lookup, have them submit it to TNT, have TNT check it for CGs and viruses, and if it "passes" release it, if it's just buggy reject it, and if it's contaminated strike the user. It would slow things down, I suppose, but better than poisoning a community because of a few filthy infiltrators.

Personally, I'm with both Elric and background_noise. I update my lookup and shop so rarely that I don't mind them screening me. I also am really bad at HTML that I only use what is given by trusted sources, which is why my shop is full of kitchy Neopets images and blogs. Sigh. This is why I don't like dealing with most people... except the fine people here

See, but the problem with that is we all know TNT's reputation for getting stuff done on time, and with 3 kagillion players submitting userlookups and shops and petpages, it'd be a queue of years before your code got cleared.

Of course, a bot would help things along, but... Oh wait - They have one! And it blocks stupid things and (supposedly) lets JavaScript through...

Sorry. I'll stop ranting now.

*coughs and shuffles off to the side*

Thanks for the warning.
Personally I like having a spiffy lookup and all, but if we get down to this they should just disable everything. At least in shops.

That "zero-day" WMF thing could become a big deal over the next few weeks. But it may not be a problem on neopets.

First of all, the two people who appear to so far have been doing the cookie grabbing have been using only javascript and CSS. This kind of scripting isn't really that difficult, though finding the loophole to get it past the javascript filter which was supposed to prevent that takes some ingenuity. The other thing they have done is to brute force some passwords on a few premium accounts. There there was apparently a new signon method which lacked limits on the number of attempts. There are common off the shelf password generators that can crack too simple passwords if setup to keep trying. That oversight has been fixed by TNT.

Bottom line, there's some ingenuity there, but this hasn't been very "technical" stuff. The WMF trojans are going to require a bit more. It's possible they'll be able to take an existing trojan developed by someone else, and try and use it; it's not too complicated once someone else has done the work.

But even then, it shouldn't be too hard for neopets to simply block that media format (which is rarely actually used for much). And Microsoft should be able to patch the flaw quickly as well.

If it's a serious risk, hoever, TNT could at least temporarily block any updates to lookups, shop layouts, or petpages for a couple weeks until a patch is available from Microsoft.

*sigh* Why do people do these things?

Does anyone know at what point this becomes a crime? I don't have premium so I don't know, but does the person who steals your account gain accsses to your payment info? If so does the actual "Crime" involvment kick in when they come into possesion of your idenity info, or when they use it?


I know very little about computers, lol, I didn't even know things such as screen shots existed before finding PPT so I understand very little of what is actually happening, but I have to say everyone here is really helping me decide fact from fiction (or as well as can be done in this case).


So assuming that someone does gain access to your non-premium account is there anywhere else they can go? Can they gain access in any strange way to your email? What I am really wondering is: Is there anyway that charges could be brought against someone using a CG? Could it be done for all accounts? Just Premium accounts? All accounts of users with IE, or premium accounts with IE? Will the legal burden always be on Neopets (until someone actually uses any gained info for fraud) or is there some point in which this would be passed on to some law enforcment agency?


It sounds like most of this is being done out of mean spirit so I would assume that the only thing to make these people stop would befacing actual charges... I just wonder if that can ever happen, since the only thing at stake (I think) is a game account and our sanity.

(sorry for any spelling errors... )

They do it because they can, and because they're an illegitimate cross between raw sewage and radioactive waste. There is no such thing as an honourable hacker. If you meet a hacker, report it.



It's always a crime. It's never legal. However it may be difficult to prosecute, and even more difficult to recover damages. It's like any other kind of theft: prevention is your job.



Yes, it's possible for them to use cookie grabbers to gain access to other cookies from other websites where you have an account, including your bank account if you do business online. Will they do it? Yes. They certainly will. Or they will teach someone else their trick and they will use it to damage more than just a few Neopets accounts.

If you are a US resident, and you have real information to share about this crime, you may try to contact the US Secret Service's Cybercrime division. They have a PDF form you can complete and submit to report crimes like this. However they may not be able to handle the workload -- so I won't post the link (easy to find with Google). And don't count on a personal response.

That's what i call dangerous.... Oh man. I 'm still gonna take risks. I want to see the Advent Calander videos and the prizes too. Maybe i'll use my newbie account to see.. heh

The obvious advice I am givinng to everyone is to change your password often. It doesn't have to be a lot. For example, if my password was normally gertrude, make it gertrude78 one day. The next, change it to gertrude43 etc. etc.. We do that at the school web server (actually, we have it automatically make the password dynamic, but manually changing it is fine also)

Well, for the next few weeks, I'm not going to do anything else but play games, and try to remember not to view highscore lookups...*winces and sighs* How fun. Ah well...

I ended up talking to supposedly one of those guys a night or two ago. Not the guy named Kaos (who was there as well, under the name _guildacount_, with that person, who stated that they had screenies on the entire process on their petpage MADE by Kaos, but I didn't look b/c what if it had been a scam? Though he stated that he would NOT hack a premium account, though he had done it once, because it IS illegal) and a guy named... Immortal? Im... something that started with that, who was apparently all upset because Kaos "stole his code to do this" and so he was hacking Premiums to prove that he could and also because "Neopets is awful making users spend that amount of money".

Then I pointed out that a) It's illegal, and b) I, personally, CHOOSE to spend that money on Neopets. Other people buy merchandise, other people spend money on playing WoW or City of Heroes/Villians. He thought it was stupid to do so (just on neopets, for some stupid reason he never explained though I asked) but couldn't come up with a solid answer on why it's okay to attack people who pay to play.

It was aggravating and stupid.