CGs out in full force again?

[beanmommy]

I'm taking all the precautions. But how do we know when it's safe again? Neopets has not, in the past, been helpful in either acknowledging problems like this or giving an all clear.

I'd say wait till Tuesday.I'm not going to any shops,lookups or new Petpages today.

Does anyone have any updated information on this? I miss doing jobs!!

[shapu]

I would think that the easiest way to go about fixing this would be to tie cookies to IP addresses.

[Morningstar]

Oooh, Shapu, that's an excellent idea. *glances around to see if any staffers are lurking about*

[Kenjiro]

I would think that the easiest way to go about fixing this would be to tie cookies to IP addresses.

What if you use different computers?

[Cranberry]

Yeah, or are on an ISP like AOL that changes your IP drastically every time you log on? I'm not, but I used to be a supermod at a large forum, and we'd often run into that problem when trying to place an IP ban on bad posters.

[Hunter Lupe]

I would think that the easiest way to go about fixing this would be to tie cookies to IP addresses.

What if you use different computers?

Different sets of cookies, that wouldn't actually be a problem.

Yeah, or are on an ISP like AOL that changes your IP drastically every time you log on? I'm not, but I used to be a supermod at a large forum, and we'd often run into that problem when trying to place an IP ban on bad posters.

You'd lose your autologin, but hey, that's not a major concern?

Probably the easiest way to go securing the sessions is to set relatively short experiation for session keys (keep swapping them while the user is logged in) - requires stolen cookies to be taken advantage of immediately rather than giving a large window of opportunity; then lock session to a particular IP wildcard and a hash of User-Agent: header (makes it somewhat less trivial to hijack a session - especially since a UA check is invisible to the client). Autologin keys could be stored as cookies on for separate subdomain (ie. http://secure.neopets.com) - that way, it's relatively easy to arrange a clickthrough (or simply a double Location: redirect) to re-authorize a timed-out user, and prevent the autologin key from being stolen anywhere on the site. I'd be surprised if they don't do some of that already.

[NeoFaN_mc2]

CGS are EVERYWHERE! Theres anti CG tools and tips on my neo fan site (check my other topic ^_^)

Edit:

I got an update from my hacker friend that any page where an image could be placed, there could be a CG, so be SUPER CAREFULL EVERYBODY!!

Inrun Edit: Please edit your posts before you double post. We are not the neoboards. There is a handy little edit button in the top right of your post screen. Please use it in the future before you double post.

[anjuna]

Probably the easiest way to go securing the sessions is to set relatively short experiation for session keys (keep swapping them while the user is logged in) - requires stolen cookies to be taken advantage of immediately rather than giving a large window of opportunity; then lock session to a particular IP wildcard and a hash of User-Agent: header (makes it somewhat less trivial to hijack a session - especially since a UA check is invisible to the client). Autologin keys could be stored as cookies on for separate subdomain (ie. http://secure.neopets.com) - that way, it's relatively easy to arrange a clickthrough (or simply a double Location: redirect) to re-authorize a timed-out user, and prevent the autologin key from being stolen anywhere on the site. I'd be surprised if they don't do some of that already.

I admit I don't know a whole lot about it, but I am pretty sure that is the reason I Deny all First and Third Party Cookies and only accept Session.

But I never lose my auto-login this way unless I clear my cookie manually (or the session expires as per some more secure sites like per page close, browser close, daily, etc.). Would it be easy for TNT to just re-encrypt the cookie pass every few hours or, say, the maximum duration the Wheel of Monotony can spin? That might be a decent temp. fix.

I was sort of wondering, how do you know if someone stole your password via a cookie? I mean, is the only indication that someone stole from the account? Would I 'know' something was up from my browser acting funny? Would there be leftover hacker files or anything like that? Would something like a script attempt to load or is it an undetectable phenomenon?

[everconfused]

CGS are EVERYWHERE! Theres anti CG tools and tips on my neo fan site (check my other topic ^_^)

Edit:

I got an update from my hacker friend that any page where an image could be placed, there could be a CG, so be SUPER CAREFULL EVERYBODY!!

Inrun Edit: Please edit your posts before you double post. We are not the neoboards. There is a handy little edit button in the top right of your post screen. Please use it in the future before you double post.

If you have information on anyone doing this type of thing, you really should write to TNT and let them know.

I find it absolutely reprehensible that there are people with nothing better to do with their time than find and exploit a weakness on Neo or any other site.

From that post I take that this problem has not yet been fixed? I really want to do some shopping, darn it -- without having to have my user info page open with old and new passwords in the spaces as a just in case.

anjuna, a few people who posted on the boards said they got some sort of weird pop-up that was only there for a few seconds -- that was in user shops. I don't know if anything showed up on bad lookups.

Only things I can suggest to people is

a) don't shop ... which goes with;

b) don't go to any lookups, shops, petpages, etc. -- anything customizable;

c) go to site preferences and block everything - neomails, nf requests, only nf can contact/send you things. Also make your neomail plain text;

d) if you even think you've been compromised go change your password, log out, clear everything, log in, change your password again (just to be safer) then take a look at your own lookup/shop/gallery/petpage code -- highlight it, as apparently the cg is in white font and you won't see it otherwise. If you don't want to be bothered with that, just clear everything. You don't want to be part of the chain that these things become.

As to disabling java. I've heard that people have been frozen for doing that. So, on the one hand, disabling it is supposed to help prevent cg from happening. But I'm no tech-type person, so I don't know that that would actually do any good. And on the other hand, even if it somehow does protect you from cgers, TNT might take exception to your doing that and freeze you. Sounds like a lose/lose situation to me.

[anjuna]

anjuna, a few people who posted on the boards said they got some sort of weird pop-up that was only there for a few seconds -- that was in user shops. I don't know if anything showed up on bad lookups.

...

As to disabling java. I've heard that people have been frozen for doing that. So, on the one hand, disabling it is supposed to help prevent cg from happening. But I'm no tech-type person, so I don't know that that would actually do any good. And on the other hand, even if it somehow does protect you from cgers, TNT might take exception to your doing that and freeze you. Sounds like a lose/lose situation to me.

That pop up could also be the virus in the ad rotating around that still has not been removed from the ad server. I use a HOSTS file and AVG Free and haven't had a problem since with that particular issue. I just remember reading Cranberry 'confirm' the CGs it so I just wondered if anyone found the 'remains' of anything on their system. Files, anything.

I default disable Java applets and am pretty sure you can't get frozen over anything like that. I found they used to hang my browser when I clicked Back after searching on the Wiz (long, long ago) and noticed this useless applet trying to load that apparently did nothing but hang my browser. If it's something else entirely then take extra-safe precautions.

[lemonberri]

I default disable Java applets and am pretty sure you can't get frozen over anything like that.

I'm pretty sure everconfused was referring to javascript, not Java applets. I can't recall any Java applets on the site.

[Meer]

As to disabling java. I've heard that people have been frozen for doing that. So, on the one hand, disabling it is supposed to help prevent cg from happening. But I'm no tech-type person, so I don't know that that would actually do any good. And on the other hand, even if it somehow does protect you from cgers, TNT might take exception to your doing that and freeze you. Sounds like a lose/lose situation to me.

Freezing people for disabling java is laughable. It is my right to disable java on my own bloody computer if I chose too! It doesn't hurt anybody else, and it doesn't give me an unfair advantage over other players. If they really freeze people for that, then I don't even want to play neopets, because that's just crazy.

I don't often disable javascript on neopets, but when I feel like I need a little extra security while viewing user lookup pages, I'm going to do it. There's no reason why I shouldn't.

[yamiyugi336]

They are real. I lost my acct. to them. It says I downloaded a cheat program. I never did that. I would not even now how to find such a program let alone download one. I do hope I get my acct. back. I wrote to TNT. But as you know that takes a long time.

[MagicalMystery]

Since I don't know much - if anything - about Cookie Grabbers (as I think I stated before) I was wondering if someone could take the time to answer my questions about them, thanks. ^^

My main question is, is there any obvious symptoms of being 'Grabbed?

I heard that if you're 'Grabbed you're automatically logged out, is this true? I'd guess it would be as I thought that you looged into Sites using Cookies therefore if your Cookie disappeared you wouldn't be logged in anymore but I'm not sure.

Is it just Neopian Cookies or all Cookies? I think all of the Cookies my Computer has would crash someones if they all appeared at once ...and my Mum would kill me.

Would a Windows 98 crashed if it was 'Grabbed?

Just curious really; a little while ago I thought I had been grabbed after visiting a PetPage that was taking forever to load. After that I realised Cookies weren't working for anything and as soon as I closed a Webpage I was logged out. Spent three hours on the computer trying to change my password... only to figure out later on it was another Glitch on my computer. Did change my password in the end though. =D Anyway, any help will be appricated and will be rewarded by a giant virtual hug. ^^

[bgryph]

I can't say for sure, but I think the only thing you'd notice is things being removed from your account, etc. Hackers can't crash your computer (or affect it at all, really) via cookie0grabbing AFAIK.