Pink Poogle Toy Forum

The official community of Pink Poogle Toy
Main Site
NeoDex
It is currently Sat Nov 16, 2024 12:45 am

All times are UTC




Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 52 posts ]  Go to page 1, 2, 3, 4  Next
Author Message
 Post subject: The All Clear?
PostPosted: Fri Jan 06, 2006 10:47 pm 
Beyond Godly
Beyond Godly
User avatar

Posts: 2541
Joined: Mon Mar 07, 2005 10:50 am
Location: *bamf*
I was just wondering if that whole cookie grabber thing had blown over? I've not really been playing neopets the last couple of days so I'm a bit out of the loop :oops:

But I have a pet waiting for just one more codestone in the Academy so I'd really like to know - is it secret? Is it safe?! </Gandalf>


Petpet Central


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 06, 2006 10:56 pm 
PPT Student
PPT Student

Posts: 401
Joined: Sat Dec 31, 2005 9:56 am
Location: Other Side of Humanity
I've been cruising the AC for a while and I haven't heard anything about it so I think its all clear. I've looked at a few Petpages and Userlookups and so far I'm fine. (*knocks on wood*)


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 06, 2006 10:59 pm 
PPT God
PPT God
User avatar

Posts: 1300
Joined: Mon Jan 02, 2006 11:49 am
Location: Where the sunbeams end and the starlight begins...
Gender: Male
What I always wondered... Do these CG's actually target accounts, or are they completely random? Cause currently, if they were targeting, I think there'd be a whole lot of accounts more interesting than mine.


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 06, 2006 11:29 pm 
Honorary Member
Honorary Member
User avatar

Posts: 1869
Joined: Mon May 31, 2004 11:04 am
Location: Dundee, Scotland
Cookie Grabbers go on customizable web pages (e.g. Shops, User Lookups and Pet Pages) and anyone who visits one with one on will have their cookies grabbed. It doesn't target, per se.

Cookie Grabbers' code looks rather distinctive, so there is one on the page and you know a programming language, you should be able to see it there. If you do, then it's safe but always change the password. Heck, to be safe change your password whenever you look at a customizable page, if you're paranoid :P


Image


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 07, 2006 3:33 am 
PPT Warrior
PPT Warrior
User avatar

Posts: 801
Joined: Wed Dec 15, 2004 8:15 pm
Yeah I'm wondering if it is all clear myself too. If it is I want to log in my account and start voting in the beauty contest. It's a bummer if I can't trust pet pages and look-ups.

Odd that I couldn't log into my main account today. I thought I knew the password but it failed to work. I sent a request for a change, but haven't gotten an email.

I hadn't seen any notification in my email account that my password had changed these last two days so maybe I genuinely forgot, but still it's odd.

The lack of resonse from TNT is making me very uneasy.

Edit: I tried again this time using the email form and got a reply. It's my own doing. I had changed it.

No wait a second, I did not change it. It's the keyboard I'm using. Some of the characters the keyboard can't type. That makes sense. This keyboard needs to be replaced.

I get paranoid easily. >_>


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 07, 2006 4:31 am 
PPT Toddler
PPT Toddler
User avatar

Posts: 249
Joined: Mon Jun 14, 2004 4:03 am
Apparently if you update your Internet Explorer it fixes the problem. There is a new fix at the Microsoft site.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 07, 2006 4:37 am 
PPT God
PPT God
User avatar

Posts: 1873
Joined: Sun Jan 01, 2006 9:50 am
What about those using Firefox or other browsers? Or is the IE update in response to the Microsoft security hole?


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 07, 2006 5:05 am 
PPT Trainee
PPT Trainee
User avatar

Posts: 610
Joined: Wed Oct 13, 2004 3:30 pm
The update that's been mentioned has to do with Windows and how it would view certain images. There was a bug found and people could hack your computer if you viewed/opened a certain image.

Either way, to fix it, go to: http://update.microsoft.com/

It only had to do with Windows. And it doesn't matter what browser you use, the patch will fix the problem. (But you will need IE to do the update.)


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 07, 2006 5:57 am 
PPT Warrior
PPT Warrior
User avatar

Posts: 801
Joined: Wed Dec 15, 2004 8:15 pm
Thanks. I'll check to see if it installed on this machine. It may have already updated when my mom it set up (it has an auto update setting enabled), but it doesn't hurt to check, right?

edit:
Quote:
High-priority updates
No high-priority updates for your computer are available. To check for optional updates, return to our home page and click Custom.


Ok Good to go. I probably need to do the update on my own computer.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 07, 2006 11:04 am 
PPT Toddler
PPT Toddler
User avatar

Posts: 229
Joined: Tue Nov 16, 2004 1:55 pm
Location: the land of trees and rain
IcyBlue wrote:
The update that's been mentioned has to do with Windows and how it would view certain images. There was a bug found and people could hack your computer if you viewed/opened a certain image.

Either way, to fix it, go to: http://update.microsoft.com/

It only had to do with Windows. And it doesn't matter what browser you use, the patch will fix the problem. (But you will need IE to do the update.)


i believe you're talking about [url=http://www.microsoft.com/technet/security/advisory/912840.mspx]this[/a] (microsoft.com link), which i'm pretty sure wasn't related to the neopets issue?

at any rate, i wanted to provide the link because it was just yesterday (two days ago, now, actually) that microsoft was ready to respond, and it's an issue that affects many many people.


Image


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 07, 2006 3:57 pm 
Beyond Godly
Beyond Godly
User avatar

Posts: 2541
Joined: Mon Mar 07, 2005 10:50 am
Location: *bamf*
Yes that was an unrelated problem from the neopets thing (though people should go get the critical update as always).

I'm going to assume it's all over as everything has gone rather quiet, and they did say a while back that the gap had been closed. Hurrah :)


Petpet Central


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 08, 2006 7:34 am 
PPT Toddler
PPT Toddler
User avatar

Posts: 129
Joined: Mon Jun 27, 2005 2:53 pm
Location: Honolulu, Hawaii, USA
I never knew about this issue until i read this. :roflol: It has never effected my account before though. So I feel safe on neopets. :D


Top
 Profile  
 
 Post subject: Hackers...
PostPosted: Sun Jan 08, 2006 10:41 am 
Newbie
Newbie

Posts: 40
Joined: Sat Sep 17, 2005 6:03 pm
Location: Florida
The MS update is important to get because it was a particularly bad security hole that would have been easy to exploit. MS got an official update out very quickly, though. The problem has only been known in security circles for a little over a week, so it hasn't had the opportunity for exploits to become very widespread. I'm not sure if it's been a problem on neopets or not. I've seen some suggesting they were including code in images, and I think this might be the only known way to do that. I suspect that's just talk, but it's possible that's been done in the last week, as it apparently isn't too hard to get an example copy of one of these images and pretty much drop in whatever code (including any known trojan, or other exploit) you wanted to execute.

There seems to have been another flurry of stolen accounts tonight (just when things were seeming to calm down). I think there seems to be more problem on weekends when there isn't TNT staff to deal with problems and block them, possibly also because these are probably kids in school during the week.

Some are reporting they're getting prople to chat on MSN or AIM and somehow getting into hotmail accounts (which some use as their e-mail). Some are apparently falling for links to scam off-site websiites. There are many ways they could be getting information there. It's not clear whether these sites are expoiting a flaw that allows them to get cookies (there's am older flaw in some unupdated IE versions that could), whether their persuading people to download trojan software, or fooling people with spoofed neopets pages. They could be getting people to register on sites, and then exploit that in some ways. Some might use the same password on multiple sites (including neopets). If they get a registration e-mail, they could later send a spoof e-mail that appears to come from neopets.

What's a shame is that there are many legit fan sites (like this, or idb), that many users new to them are now afraid to visit. Technically, it might even be against the rules to post urls to such sites on the neoboards. I hope, while they're cracking down on the abuses, that they don't go overboard and go after people posting links to good sites.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 08, 2006 1:25 pm 
Honorary Member
Honorary Member
User avatar

Posts: 1869
Joined: Mon May 31, 2004 11:04 am
Location: Dundee, Scotland
What I don't understand is... How the hell can things like this even affect the Neopets site. The cookie grabber comes along, and surely (if Neopets has any sense) it will grab a hashed password; not a password. And surely (again, if Neopets has any sense), their hash will be unbreakable, and therefore, you should just have to brute force it for any collisions, hich will take as long as just brute forcing the entire password anyway...


Image


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jan 09, 2006 12:00 am 
PPT Trainee
PPT Trainee

Posts: 549
Joined: Wed Jun 22, 2005 2:07 pm
Location: Huntington, NY
Gender: Male
Matt wrote:
What I don't understand is... How the hell can things like this even affect the Neopets site. The cookie grabber comes along, and surely (if Neopets has any sense) it will grab a hashed password; not a password. And surely (again, if Neopets has any sense), their hash will be unbreakable, and therefore, you should just have to brute force it for any collisions, hich will take as long as just brute forcing the entire password anyway...


You can probably still masquerade as the user by planting the cookie on your own computer. I'm sure the Neopets server doesn't remember users based on IP......there's no way to query MAC address right?

Also, I think I heard that it's possible to store all hash possibilities of a 7-letter password into a hard drive and break it. A quick calculation with (26^7*8 / 2^30) produces searching through something like 60 GB - certainly not impossible to do.

I doubt the cookie contains a hash of just the password though - they probaby hash something like username-date-time-randomintegers and store that into the cookie and a their own local database.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 52 posts ]  Go to page 1, 2, 3, 4  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 84 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group