Pink Poogle Toy Forum

Set your pins, that's the best you can do.

I'm always curious as to how this gets so easily exploited. What is it about NP's system that makes it so vulnerable to insertion of malicious code?

Well, no matter. I can have fun on the site playing games and challenging myself that way.

Mm, I dunno. I'm guessing it's the degree to which they allow us to personalise our pages. I think anywhere where a user is able to insert something into an HTML page is vulnerable, and it'd be so difficult to filter through all the HTML and CSS and pick out whether something's dodgy or not.

I wonder if sites like MySpace or LJ have similar security issues? (since they allow personalisation of pages too) I know LJ had one a few months back ... I guess it's nowhere near as tempting for people to hack into accounts on those sites though.

--

Edit: It's a pity that TNT don't post something on the news, when CG-ers find a new exploit like this and are actively threatening people (more than usual).

I tend to ignore posts on the Neoboards (and even here, a bit ) because things sometimes get a bit hyped up. But if it's something more serious, and TNT is actually working to fix it as we speak... that's a bit different.

Eeep! *goes into super paranoid mode* Well so much for my plan to work on buying junk for the pack rat av tonight. Oh well that can always wait.

I'm wondering... cookie grabbers are script right? So if you disable scripts temporarily for neopets.com, would you be safe? Or does this new exploit possibly work another way? In any case, I'm not taking any chances.

If you disable scripts for Neopets in general, not just their ads, you'll find most of the site to be inaccessible. You might as well stick to playing games, or stay away for a while.

Yes I know that, I was just curious IF disabling scripts would make you invulnerable. Just for pure curiosity's sake. Like I said, I don't plan to visit any shops, lookups, etc, until TNT fixes this, whether that's the case or not.

Although I do occasionally turn scripts off temporarily on neopets when visiting user created pages, when something seems fishy to me, or if I have a paranoid moment. XD It's very easy for me to turn scripts on and off quickly so I can go back and forth, if I want to.

Edit:
Haha! And of course now I get a faerie quest! XD

I'm always paranoid about cookie grabbers. I rarely visit pet/lookup pages and only visit user shops when I need something (restocking/quests). Plus my passwords/PIN#'s are very hard to guess.... even for people that know me well.

At least that way I feel safe when there are CG scares. You can never be completely protected, but you can at least be prepared.

There's one on myspace at the moment, something to do with shockwave i think.

Personalization is only part of the problem. The real issue is what is stored in the cookies they send out. Neopets is a terrible mess code/security-wise. The problem with the cookies password-wise is that they have a cookie (toolbar=username%2BC%2BpasswordMD5hashed) which can only be "grabbed" and read by code from neopets.com.

The problem is two fold. MD5 sucks for, though it is widely used for it, securing transmitting passwords. The other problem is the power of actionscript in flash. Though I don't believe it should be able to "grab" a cookie unless the flash itself is hosted on the neopets.com domain. I'm fairly certain most browsers would prevent this.

And also Cross Site Scripting exploits are NOT limited in ANY way to Neopets. Though I would recommend some serious changes for the way they handle security -- ESPECIALLY with premium having launched. They cannot think to charge people while using cookies with a clearly MD5 hashed password going back and forth with each transaction (packet sniffer paradise). I know people still swear by MD5, but at least neopets could salt the password or something.

blah!

wow, how do you know so much about it?

My guess is that spudge is quite knowledgable when it comes to computers

I'm taking all the precautions. But how do we know when it's safe again? Neopets has not, in the past, been helpful in either acknowledging problems like this or giving an all clear.

I'd say wait till Tuesday.I'm not going to any shops,lookups or new Petpages today.

Neopets did post in the editorial about the trading post cookie grabber issue. Hopefully they'll put it in the news this time.

As much as it pains me to say this, I wonder if TNT will have to disable user customized shops, lookups, and petpages. Instead of doing it ourselves, they could have a form to fill out with our text and colours of choice. (which wouldn't be half as good, but maybe it would be safer)

If you guys want to disable cookie grabers,and you have IE,go to Tools,Internet Options,Privacy and bring the Settings bar to the top.

I really hope they don't consider doing that! >.< They should make there security better instead.