Pink Poogle Toy Forum

The official community of Pink Poogle Toy
Main Site
NeoDex
It is currently Tue Nov 19, 2024 12:28 pm

All times are UTC




Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 95 posts ]  Go to page Previous  1, 2, 3, 4, 5 ... 7  Next
Author Message
 Post subject:
PostPosted: Sat Dec 09, 2006 10:11 pm 
Moderator
Moderator
User avatar

Posts: 3739
Joined: Mon May 31, 2004 5:58 pm
Location: Idiotville
Set your pins, that's the best you can do.

I'm always curious as to how this gets so easily exploited. What is it about NP's system that makes it so vulnerable to insertion of malicious code?

Well, no matter. I can have fun on the site playing games and challenging myself that way.


Image


Top
 Profile  
 
 Post subject:
PostPosted: Sat Dec 09, 2006 11:29 pm 
PPT Trainee
PPT Trainee
User avatar

Posts: 657
Joined: Tue Jun 01, 2004 4:35 am
Location: Australia
Gender: Female
shapu wrote:
I'm always curious as to how this gets so easily exploited. What is it about NP's system that makes it so vulnerable to insertion of malicious code?

Mm, I dunno. I'm guessing it's the degree to which they allow us to personalise our pages. I think anywhere where a user is able to insert something into an HTML page is vulnerable, and it'd be so difficult to filter through all the HTML and CSS and pick out whether something's dodgy or not.

I wonder if sites like MySpace or LJ have similar security issues? (since they allow personalisation of pages too) I know LJ had one a few months back ... I guess it's nowhere near as tempting for people to hack into accounts on those sites though.

--

Edit: It's a pity that TNT don't post something on the news, when CG-ers find a new exploit like this and are actively threatening people (more than usual).

I tend to ignore posts on the Neoboards (and even here, a bit :oops:) because things sometimes get a bit hyped up. But if it's something more serious, and TNT is actually working to fix it as we speak... that's a bit different.


Image
Nyum nyum nyum...


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 10, 2006 4:34 am 
PPT Warrior
PPT Warrior
User avatar

Posts: 793
Joined: Wed Aug 16, 2006 6:12 am
Location: On the causeway to neverwhere
Eeep! *goes into super paranoid mode* Well so much for my plan to work on buying junk for the pack rat av tonight. Oh well that can always wait.

I'm wondering... cookie grabbers are script right? So if you disable scripts temporarily for neopets.com, would you be safe? Or does this new exploit possibly work another way? In any case, I'm not taking any chances.


Image
Image
And my soul from out that shadow that lies floating on the floor
Shall be lifted - nevermore!


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 10, 2006 4:37 am 
PPT God
PPT God
User avatar

Posts: 1025
Joined: Tue Aug 24, 2004 2:16 pm
If you disable scripts for Neopets in general, not just their ads, you'll find most of the site to be inaccessible. You might as well stick to playing games, or stay away for a while.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 10, 2006 5:08 am 
PPT Warrior
PPT Warrior
User avatar

Posts: 793
Joined: Wed Aug 16, 2006 6:12 am
Location: On the causeway to neverwhere
Huggles wrote:
If you disable scripts for Neopets in general, not just their ads, you'll find most of the site to be inaccessible. You might as well stick to playing games, or stay away for a while.

Yes I know that, I was just curious IF disabling scripts would make you invulnerable. Just for pure curiosity's sake. Like I said, I don't plan to visit any shops, lookups, etc, until TNT fixes this, whether that's the case or not.

Although I do occasionally turn scripts off temporarily on neopets when visiting user created pages, when something seems fishy to me, or if I have a paranoid moment. XD It's very easy for me to turn scripts on and off quickly so I can go back and forth, if I want to.

Edit:
Haha! And of course now I get a faerie quest! XD


Image
Image
And my soul from out that shadow that lies floating on the floor
Shall be lifted - nevermore!


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 10, 2006 7:31 am 
PPT Toddler
PPT Toddler
User avatar

Posts: 163
Joined: Wed Apr 12, 2006 3:41 pm
Location: Alberta
I'm always paranoid about cookie grabbers. I rarely visit pet/lookup pages and only visit user shops when I need something (restocking/quests). Plus my passwords/PIN#'s are very hard to guess.... even for people that know me well.

At least that way I feel safe when there are CG scares. You can never be completely protected, but you can at least be prepared.


Image
Set made by loser1921


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 10, 2006 7:47 am 
Honorary Member
Honorary Member

Posts: 4363
Joined: Tue Jul 13, 2004 2:40 am
Location: Down Under
Gender: Female
mazil wrote:
I wonder if sites like MySpace or LJ have similar security issues? (since they allow personalisation of pages too) I know LJ had one a few months back ... I guess it's nowhere near as tempting for people to hack into accounts on those sites though.


There's one on myspace at the moment, something to do with shockwave i think.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 10, 2006 10:21 am 
Newbie
Newbie
User avatar

Posts: 39
Joined: Fri Mar 31, 2006 1:23 pm
Location: Kirkland, WA
Personalization is only part of the problem. The real issue is what is stored in the cookies they send out. Neopets is a terrible mess code/security-wise. The problem with the cookies password-wise is that they have a cookie (toolbar=username%2BC%2BpasswordMD5hashed) which can only be "grabbed" and read by code from neopets.com.

The problem is two fold. MD5 sucks for, though it is widely used for it, securing transmitting passwords. The other problem is the power of actionscript in flash. Though I don't believe it should be able to "grab" a cookie unless the flash itself is hosted on the neopets.com domain. I'm fairly certain most browsers would prevent this.

And also Cross Site Scripting exploits are NOT limited in ANY way to Neopets. Though I would recommend some serious changes for the way they handle security -- ESPECIALLY with premium having launched. They cannot think to charge people while using cookies with a clearly MD5 hashed password going back and forth with each transaction (packet sniffer paradise). I know people still swear by MD5, but at least neopets could salt the password or something.

blah!


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 10, 2006 11:32 am 
Honorary Member
Honorary Member

Posts: 4363
Joined: Tue Jul 13, 2004 2:40 am
Location: Down Under
Gender: Female
wow, how do you know so much about it?


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 10, 2006 12:13 pm 
PPT Toddler
PPT Toddler
User avatar

Posts: 163
Joined: Wed Apr 12, 2006 3:41 pm
Location: Alberta
My guess is that spudge is quite knowledgable when it comes to computers ;)


Image
Set made by loser1921


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 10, 2006 1:52 pm 
Newbie
Newbie

Posts: 17
Joined: Mon Aug 01, 2005 7:31 am
I'm taking all the precautions. But how do we know when it's safe again? Neopets has not, in the past, been helpful in either acknowledging problems like this or giving an all clear.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 10, 2006 3:41 pm 
PPT God
PPT God
User avatar

Posts: 1649
Joined: Thu Jan 05, 2006 4:11 pm
Location: At a Rascal Flatts Concert
Gender: Female
marccaty wrote:
I'm taking all the precautions. But how do we know when it's safe again? Neopets has not, in the past, been helpful in either acknowledging problems like this or giving an all clear.
I'd say wait till Tuesday.I'm not going to any shops,lookups or new Petpages today.


Image
Set by the amazing Kitten Medli.
Wanna see some of my writing? Click here!


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 10, 2006 6:25 pm 
PPT Trainee
PPT Trainee
User avatar

Posts: 541
Joined: Mon Jun 26, 2006 12:49 pm
Neopets did post in the editorial about the trading post cookie grabber issue. Hopefully they'll put it in the news this time.

As much as it pains me to say this, I wonder if TNT will have to disable user customized shops, lookups, and petpages. Instead of doing it ourselves, they could have a form to fill out with our text and colours of choice. (which wouldn't be half as good, but maybe it would be safer)


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 10, 2006 7:22 pm 
PPT God
PPT God
User avatar

Posts: 1649
Joined: Thu Jan 05, 2006 4:11 pm
Location: At a Rascal Flatts Concert
Gender: Female
If you guys want to disable cookie grabers,and you have IE,go to Tools,Internet Options,Privacy and bring the Settings bar to the top.


Image
Set by the amazing Kitten Medli.
Wanna see some of my writing? Click here!


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 10, 2006 10:24 pm 
PPT Warrior
PPT Warrior
User avatar

Posts: 793
Joined: Wed Aug 16, 2006 6:12 am
Location: On the causeway to neverwhere
yvonne_l_d wrote:
As much as it pains me to say this, I wonder if TNT will have to disable user customized shops, lookups, and petpages. Instead of doing it ourselves, they could have a form to fill out with our text and colours of choice. (which wouldn't be half as good, but maybe it would be safer)

I really hope they don't consider doing that! >.< They should make there security better instead.


Image
Image
And my soul from out that shadow that lies floating on the floor
Shall be lifted - nevermore!


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 95 posts ]  Go to page Previous  1, 2, 3, 4, 5 ... 7  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 179 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group