NoScript and You:

Protecting Yourself from Cookie Grabbers on Neopets


TIMES NOSCRIPT HAS SAVED MY ACCOUNT:
5

THE PROBLEM:

Lately, many of our fellow Neopians have lost their accounts to cookie grabbers (abbreviated CGers or CGs). A cookie grabber is a script embedded in a petpage, shop, userlookup, or external site that steals your cookies – specifically, your login cookie to Neopets. Once your cookie is stolen, the culprit has access to your account; if you do not notice immediately, they may take your account and steal your pets, money, and items.

Cookie grabbers are particularly dangerous because they are much harder for users to detect than most other methods of scamming (like fake login pages). But don't fear – you can still browse safely with a few precautions!

WHY NOSCRIPT:

The best way to protect yourself against cookie grabbers is to use the Firefox plugin NoScript.



As described by its developers,
[NoScript] allows J-Script, Java and Flash and other plugins to be executed only by trusted web sites of your choice

In plain terms, this means that any script your computer encounters (including CGs) will only be run if you have specifically told NoScript it's allowed. Even though the CGs may be on a Neopets page, the CG script itself is referenced from another site – so while the Neopets content on the page will be displayed, the CG won't work (and your info is safe!)

Technical Details from NoScript Site:
Cross-Site Scripting (XSS) vulnerabilities are usually programming errors made by web developers, which allow an attacker to inject his own malicious code from a certain site into a different site… Whenever a certain site tries to inject J-Script code inside a different trusted (whitelisted and J-Script enabled) site, NoScript filters the malicious request neutralizing its dangerous load.


HOW TO GET NOSCRIPT:

STEPS:
Because of TNT's strict no-outside-link policy, I'll refrain from posting the direct links to download Firefox and NoScript. They can be easily found by doing a web search.


1. Download and Install Firefox
As of right now, there are no identical addons for other browsers. Chrome Incognito and IE InPrivate Browsing do not work in the same fashion and don't offer CG protection. A new addon for Chrome called NotScripts holds potential to be as effective, but (from what I've read) was just recently released and still has some serious kinks they're working out.

2. Download the Firefox Plugin NoScript
Firefox must be installed first! Not just downloaded. Once you restart your browser, NoScript should be running - there will be an icon in the bottom right corner of your screen.

3. Allow Trusted Sites
You need to tell NoScript which websites are safe, since it blocks all scripts by default. The first time you visit a page you trust - like Neopets, your email, etc - you'll need to click the icon in the bottom right corner of your browser to tell NoScript it's ok for that website to run scripts. Until you've done this, certain parts of the website probably won't work.



4. Block I-Frames
NoScript doesn't block I-Frames by default, and they're used in the newest petlookup CG. You need to go to NoScript options (click on the icon) and hit the Embeddings tab, then make sure the box is checked.



5. Keep XSS Filtering Enabled
By default, NoScript should be protecting you from XSS attempts, the method used by many CGs. If you click on the icon, hit Options, and click the Advanced tab, Sanitize cross-site suspicious requests should be checked. Just make sure you don't turn that off!

6. Get Rid of the Yellow Bar
I've always left it there myself, but if you are annoyed by the notification bar you can change the settings to have it hidden. Otherwise, since NoScript will probably be blocking various advertisement site scripts, it'll be at the bottom of your screen while you're browsing Neopets. Either go to the Options menu or just click Options on the bar and uncheck Show message about blocked scripts.



NoScript will also block some obnoxious ads, and protect your browsing offsite as well. If you'd like to browse Neopets completely ad-free, I'd recommend you take a look at AdBlock, another Firefox plugin. A good guide for using AdBlock on Neopets (as well as a more in-depth description of how to download and install Firefox) is found below in the links section.

ADDITIONAL PRECAUTIONS:

As of the moment, NoScript should protect you from most (if not all) CG attempts. However, it doesn't hurt to be cautious! Here are some other means you can take to improve your account safety:

1. Set a PIN
Go to Pin Preferences to set your PIN. Make sure you set your PIN needed for changing your e-mail, or an intruder on your account can just change your e-mail and have the PIN sent to him. You can choose what other areas of the site will require your PIN for access – it is not stored as a cookie, so it's an extra level of security for your Neopets, Bank, Shop, Gallery, and even Petpets!

2. Preemptively save your account recovery info
Go to Neopets Help, hit the Request Support tab, and click Submit a Ticket. Select Issue Type: secret words / Account Access Help. This form is what you would have to fill out if you ever have your account stolen. Write down your answers in a text file (don't actually submit the form, of course!). Taking a few minutes to save your answers on your computer while you can still look in your closet and such can help your chances of getting your account back if it is ever CG'd or scammed from you.

3. Check out the Firefox addon RequestPolicy
RequestPolicy gives you an added layer of security by checking all XSS requests. It can be a tad trickier to figure out than NoScript, but is worth having if you want to be absolutely safe. The Indepth Guide in the links section below has more info.

4. Be smart about what links you click
The whole point of this guide is to let you click on user generated content without fear, but if something is obviously a dangerous link it doesn't hurt to avoid it. Use common sense – if someone is promising you millions of NP for clicking on an external website, it's definitely a scam.

5. Use different secret words
It's good practice to use different secret words for your side accounts and email. While a CG doesn't inherently steal your word, the stolen cookie can hypothetically be decrypted to find it. Never use your Neopets secret word on offsite fan sites - while the Neopets server has not been hacked in a long time, some fan sites may have more security flaws.

THINGS THAT DON'T WORK

When a user asks what she can do to protect her account, she's usually hit with a barrage of advice - not all of it sound. Here I'll try to address some suggestions that don't actually do anything to protect your account.

1. Clearing your cookies
It's a popular idea that you should clear your cookies daily, but this doesn't actually prevent CGs. Any time you are logged in to Neopets, your computer is storing a login cookie and you are vulnerable to CG scripts. You're at the same risk whether you cleared your cookies an hour ago or 6 months ago. The only scenario in which this might be helpful is if you clear your cookies immediately before viewing a suspicious page, but be aware that you'll make another cookie as soon as you log back in to Neopets.

2. Chrome Incognito and IE InPrivate Browsing
Both of these methods just delete your cookies when you close your browser. Many people believe that they simply do not store cookies at all, but this is not the case - whenever you're logged in to Neopets, you have a login cookie. If you don't have a cookie, you can't be logged in.

3. Common sense alone
By avoiding most user-generated content and hovering over links before you click you'll definitely minimize your risk of being CG'd. However, unless you vow to never visit a single user generated page again, there's always a risk you'll go to buy a quest item from a seemingly innocuous shop and wind up without an account. CGs are not always obvious; they do not always involve clicking on anything; they are not always on the accounts of suspicious users. While even NoScript can't guarantee 100% protection, it's saved my account numerous times in the past. Ultimately it's up to you to decide if it's worth the effort to download - for me, there's no doubt.

OH NO! I'VE BEEN CG'D!

If you think you've fallen victim to a cookie grabber, here's some advice for minimizing the damage to your account:

1. Log out, Log in, Change your secret word
Logging out invalidates the cookie that they stole, preventing them from having immediate access to your account. Changing your secret word will keep your account safe in case they are able to later decrypt the cookie to find your word. These are the MOST IMPORTANT steps to take quickly after being CG'd.

2. Deleting your cookies doesn't mean you're safe!
Don't think you've fixed it by clearing your cookies afterwards. They already have your login cookie - just deleting it from your computer will not invalidate it like logging out does. Make sure to follow the instructions above.

3. If you can't access your account
Go to Neopets Help, hit the Request Support tab, and click Submit a Ticket. Often, TNT will freeze accounts that have been CG'd in order to protect them from further damage while they sort out the issue. If your account is frozen, don't panic. Fill in the appropriate account recovery form – if you followed my advice above, hopefully you have it prepared!

BUT IS IT ALLOWED?

The following Editorials mention NoScript and AdBlock. As long as you aren't using it to abuse a Neopets feature, it's perfectly ok to use. As for me making this guide… well, I'm assuming it's ok unless TNT tells me otherwise!

Editorial #379
Good idea using that plugin [NoScript], as it is very useful for safe browsing.


Editorial #190
Programs that do not affect the game play, such as ad block, do not give a player an unfair advantage and therefore can be used.

CREDIT / CONTACT / LINK BACK

1. Credit:
The base coding I modified was written by Nene - check it out!
This guide was written by me, with information I've researched. If you have anything to add, contact me! Help is much appreciated; I'll leave you credit here.

2. Contact:
You can NM me here, on my account Birdiebird2002. I'll be glad to answer any questions you have, and screenshots/info are always appreciated! :)

3. Link Back:
If you found this guide helpful feel free to link to it!




4. Helpful Guides:
The following guides related to account safety might help you out too!
Hover over the images to learn a bit about them.



SCREENSHOTS

Drag and drop to your URL bar to see the full image.

Clicked on a Fake Link:
In this case, it was a fake link to a petpage that actually sent people offsite. It would redirect you to the petpage after being CG'd so it seemed as though nothing had happened. Thank goodness for NoScript!




Hidden CG Embedded in Shop:
The CG in this case was in the shop itself. Just clicking on the shop (not clicking on any item, picture, etc) would have been enough to get CG'd. The script was referenced from another website, which was blocked by NoScript.



CG Embedded in PetLookup:
One of the newer popular CGs is embedded in petlookups. It'll show two pictures of the pet - this is the telltale sign. Some users have reported this CG going through NoScript's protection; it does use an I-Frame which isn't blocked by NoScript by default, so this might be the issue. Here's a picture of NoScript blocking one that I encountered.










Heads Up! You're about to leave Neopia!

You've clicked on a link that will take you outside of
Neopets.com. We do not control your destination's website,
so its rules, regulations, and Meepit defense systems will be
different! Are you sure you'd like to continue?



It is a journey
I must face...alone.
*dramatic music*
I want to stay on Neopets,
where the dangers of
Meepit invasion
are taken seriously.
Heads Up! You're about to leave Neopia!

You've clicked on a link that will take you outside of
Neopets.com. We do not control your destination's website,
so its rules, regulations, and Meepit defense systems will be
different! Are you sure you'd like to continue?



It is a journey
I must face...alone.
*dramatic music*
I want to stay on Neopets,
where the dangers of
Meepit invasion
are taken seriously.
Heads Up! You're about to leave Neopia!

You've clicked on a link that will take you outside of
Neopets.com. We do not control your destination's website,
so its rules, regulations, and Meepit defense systems will be
different! Are you sure you'd like to continue?



It is a journey
I must face...alone.
*dramatic music*
I want to stay on Neopets,
where the dangers of
Meepit invasion
are taken seriously.
/help/bumper/headers/log-in-to-facebook

NEOPETS, characters, logos, names and all related indicia
are trademarks of Neopets, Inc., © 1999-2014.
® denotes Reg. US Pat. & TM Office. All rights reserved.

PRIVACY POLICY | Safety Tips | Contact Us | About Us | Press Kit
Use of this site signifies your acceptance of the Terms and Conditions