Pink Poogle Toy Forum

I am not sure about this! But thanks for telling this I will look more into it and maybe read the posts that are already here! If there really big I cant tired and lasy and dont read them so yeah!

What a great time to do this too because the neopets team are once again away for 2 days (like the 4/4/04 exploit). So yeah, this would be the ideal time for them.

OK, I can't give you any links to any accounts that may or may not be using this exploit. But there were people who DO use FF and they DID get accounts stolen.

Don't get me wrong, I love FF. But it's not the be all and end all. I've already gotten spyware using FF, so stuff is out there. Maybe not as much, maybe it's harder, maybe it's just a matter of time before FF has some of the problems as IE ... but this issue is not limited to people using one browser over another.

So if you use FF ar eyou less vonerable? And should I clear out my cookies now?

I also should probably disable java, since I dont play the games much anymore, and cant oekaki due to lag... D:
But how do you disable it?

How would one know if one was 'hacked,' 'infected,' or 'whatever'? I've been running my spyware and antivirus all day (unrelated reason) and only got hits on what caused the initial panic and from the same dang cookies that my spyware always picks up. I'm on Firefox by the way.

I'm only asking because I went to a user shop when I saw that they had one of the 'new' cracker 'prizes' on only (NP$)¥20. I don't think it was a 'bad' user since it was a Japanese shop and only had a few cheap items of no real intrest. (I don't remember the user's name for investigators. Sorry )

Firefox is not invulnerable to this - this is not the browsers fault, it is neopets fault.

Cookies are set by each individual site right. These cookies store your password and details so you don't need to log in again each time. Now for cookies to be secure they should only be accessed by the originating site - that is, only neopets the site can access neopets cookies. On IE this isn't the case - this is why cookie grabbers on other sites can "steal" your neopets cookies. Incidentally cookie grabbers are just code that try to dupe your browser into believeing it is the originating browser of the cookie.

Firefox is more secure, it only gives access to cookies to the originating site - neopets can only access neopets cookies, no one else can. But these new cookie grabbers are on the neopets site so the browser HAS to accept them - otherwise you couldn't play the game, they're not cookie "grabbers" they are just reading the cookies normally like the site itself can. Like I say, this is not the fault of the browser, it is as secure as can be when it comes to cookies. It is the neopets.com site which is failiing, which is NOT secure.

You are not supposed to be able to use javascript on neopets, java script is scripts, code you can write, mini programs if you will. With javascript you can do anything you want pretty much. It is in all respects a nifty little language. And one thing it is very good at is manipulating cookies - it's one of its main jobs. You should NEVER be able to slip your own javascript on to another website, especially one as big as neopets. It is a shocking hole that neopets has and I am astonished that they did not listen to the warnings - not that this in anyway excuses the behaviour of the people doing this.

To put it shortly - there is no protection from this other than not going to user shops, user lookups, petpages, pet lookups... anywhere a user can modify their own stuff. If disabling javascript is against the rules (even though they can't tell), neopets is unplayable if you wish to remain safe. There is no guarentee you won't stumble into one of these user shops by accident when browsing, reselling or quest searching. There is often no way to know you've been hit, other than watching your account disappear.

I don't want to sound alarmist - but if they have got around the no javascript code then none of these places is safe and there is no protection. Neopets has a very big hole in it, I only hope they appreciate how serious it is and fix it asap. Also apologies if I have oversimplified anything, I just want to make sure everyone understands ^^

And please bear in mind the above is only true if they have bypassed the nojs code.

EDIT: forgot to say, if you have been anywhere suspicious or you are worrying, just change your password asap and stay away from those places and you'll be fine. Grabbers can only get your current password ^^

Thanks for clearing some stuff up for me

One more thing.
Say I use two browsers. If they grab my cookies while im on FF, can they get to my IE cookies too?

Like say I log onto my main on FF, but never my sides on FF, would they still be able to get my IE cookies, thus get my side accounts too?

Wow. I had no idea this was going on. Thanks for the heads up and warnings.

I'll be sure to alert my friends also.

They can only get the cookies that are stored on the browser you are currently using, so your sides would be safe ^^

Well actually, I was planning on using lynx.

I was just saying that right now, your computer can be taken over completely if you use IE and view a site with a bad image. You should be using Firefox (or Opera, or anything else that's not IE) so you don't get that. (Which, btw, could easily be on neopets. Your computer could be taken over completely just by viewing a shop, if you still use IE.)

In terms of actually deconstructing it, I was going to use a blank account, in lynx, and then obviously save the html and view it in a text editor. Multiple layers of protection--as I said, I know what I'm doing

I'm still not totally convinced this is going on, I haven't seen any actual evidence of it myself :S I can't help feeling neo would have stopped it straight away if it was happening, and that if it was happening the impact would be much greater. But I don't know.

In any event I guess it's always best to be safe than sorry, and when it comes to neo I'm uber paranoid anyway xD

That sounds a little scary. I think I'll be changing my password after I do a round of shop wiz restocking. If anybody finds out more technical details, let me know. I'm interested in protecting myself.

I also recommend that of you who are concerned send in an editorial submission asking about this and indicating that you are concerned.

Like Trick, I'm not convinced that it's happening. I'm not convinced that it's NOT, either. I'm also a bit paranoid, so I'll be more careful than usual. I'm considering moving the lion's share of my neopoints (a few hundred thousand) to my side account, in case my main account is compromised. I'm going to review the new FAQ and the rules to see if there might be any problems with that.

Does anyone know how Neopets ensure NOJS?

I have seen systems (in my old workplace) compromised thru JS even when they had up-to-date Internet protection suite which supposedly blocked all JS. Am wondering if Neopets uses a similar suite?

Yesterday when I was shopping around to hoard some Traditional Christmas pudding (I hope you guys are not laughing - this is my first year anyway). I went to an user shop when the wiz said it had the pudding at 20 np or so, but I did not find any item in that shop (nor the "Item Not found!" message which I get if someone beats me to something). This happened multiple times - I was hoarding maybe for 20-30 minutes and got that shop in the wiz throughout the session. Later I saw the same guy (most probably - at least the shop had the same look and feel) selling Plushie paint brushes at least 2-3k below the normal price, went into the shop saw the same thing (I mean nothing) and came back. Overall the gap between those two were around 8-10 hrs.
I remember that I even tried to look at the source once and did a scan on "Traditional Christmas pudding" (most probably a couple of partial scans also) , but did not find it on the source.
I even thought of reporting the shop, but then I thought it may have been a newbie selling things ignorantly and who have screwed up his page with all the fancy stuff. Also I wondered what if it was legit and so I did not report.

My questions are -
a) Is it possible to 'conceal' things in your shop?
b) Should I have reported? What if it was a legit? Would I've been frozen?

Regards

I doubt they'll tell us, because that could make it easier for hackers to find a way around it.



a) Yes. Sometimes people use CSS to position images or text boxes and the like over their low-priced items. It gets people into their shop and/or encourages others to price their items at or below that price. (a form of price-fixing) I've seen people make items unclickable, too.

b) If you see the item in the source code, but not on the page, and it's obvious that it's not just someone who was really bad at CSS/HTML, you probably should report it. I've seen some people's shops where they were just horrible at coding and it obviously wasn't intentional, whereas others are definitely trying to pull something. Use your good judgement. Your gut will tell you if there's something wrong.

I did not see the item in the source code and also not on the page. I only saw it on the Wiz list. Most probably the person had concealed that item in his shop for price-fixing. Fortunately (unfortunately for me) the price did not decrease that much, so it did not solve the purpose, though Plushie PBs are now slightly cheaper.

Quite scary that people can go to such lengths on a fun site, even though I should say from my 4-5 months experience that Neopets encourages competitiveness, albeit so that people remain hooked to it ; and competitiveness encourages cheating!