Pink Poogle Toy Forum

Is the cookie grabbing/hacking conspiracy thing over yet?

I don't think anyone knows anything for sure.

Make sure to change your password and log out every time you shop or go to look-ups of people you don't know or trust.

Is it necessary to change passwords if you've turned JavaScript off? I keep it off unless I'm playing games while I'm browsing the site.

I haven't heard about any more CG incidents for the past week or so. That's not to say that it couldn't crop up again in the near future....

Stupid question:

If you're worried about being cookie-grabbed do you have to log out and change your password, or just log out and then log back in again?

I mean, the grabber grabs the cookie, which is good for the session, right? After you log out, is the cookie they've grabbed still valid?

You'd have to change your password and log out.

Otherwise they may have your password saved on their computer. (whatever password you had at the time they grabbed it)

But just changing your password is not enough because you'll stay logged in, so they may still be able to get on if they happened to log on before you changed the password.

Logging out expires your cookie for any browser or computer. You can test this by using different browsers or computers.

My, I didn't know this too. Thanks!

I didn't think they grabbed passwords as well. . I thought they just grabbed cookies and then used those to gain access into the account. Cookie Grabbers don't actually ever get your password do they?

No, cookie grabbers never grab your password. They just make the server think that someone else is you.

Right, they don't actually get your password. That's why I'm wondering if you actually have to change your password or just log out and then log back in again, which should (I think) close the old session (that they have a cookie for) and start a new one. Is the old cookie good for the new session, two, or are you safe once you've logged out?

My understanding is that in some cases, they may have used the info stored in the cookie to crack the password. I believe they are only able to do this with simpler passwords, but to be safe it's best to make sure you have a secure password, and if you have reason to suspect you've been cookie grabbed, change it.

I've done a small bit of investigation into neopets cookies, and I believe that logging out will not stop a grabbed cookie from working, but if you change your password to exactly the same thing, that will. Obviously though that's not authoritative, so if you think you have been grabbed then stay on the safe side and change it to something new.

Cool, thanks. :-)

I swear, I've changed my password so many times since the cookie-grabbing thing started, I had to have Neopets send my latest one to me the other day: I had completely forgotten what I'd used.

What cookie grabbers do is that they grab your password hash. This is your password decoded is special characters to "hide" it from the everyday person. There are different types of password hashes so that makes it that much more difficult for the person grabbing the cookies to decode it. An example of a common password hash is an md5. But you will find that after doing several google searches that there are a few online password hash decoders. So after you visit a possible cookie grabber page, just change your password because you will be creating a new password hash. Then for obvious security concerns, just log out and log back in and you should have no problems what so ever