Welcome to the in-depth guide to avoiding cookie grabbers. This page has been generated from background information of how it works, reverse engineering of various CG scripts and 1st hand research. (plus losing 800k + trades along the way, but hey, it's priceless!!)
CG'd? 1. Log out. 2. Log in. 3. Change word. 4. Done. Why? Click here
Frozen? Click here for details
Questions? Please neomail/webmail(dmitri_stanislaus) or contact me on NeoMallers (saudor)
NOTICE: If you are unable to see the images on this page after installing requestpolicy, you would either have to allow requests from neopets.com to neomallers.com or view this page in a browser not associated with neopets, since the images are hosted on the NeoMallers servers.
Jul 2012: Neomail: Switch to plain text neomail if you haven't already done so at this link
Aug 2011: PINs: If you have not changed your pin since August 2011, it is strongly recommended to change it now. If you changed it after August 2011, you should probably still change it (and make sure the email on your account is secured. Services like Google Mail offer IP address tracking that logs unauthorized access from other IPs - just remember your own. It may change slightly from time to time but when you look it up on services like whoisdomain tools, it should still show your internet service provider.)
June 18/2011: DUPED ITEM CGs: Source: Neoboards. Users are asked to search on google claiming that there is a list that shows list of duped items Sample: Google -removed for your safety- (WITH QUOTES!) and click on the first neopets.com result. It's a list of users selling duped items and duped items to watch out for! This is a HUGE problem right now!
August 31/2010: Neoboard CGs: Using an image tag, CGs are being posted on the neoboard topics. Requestpolicy should keep you safe from these but regardless, be wary of board topics that "invite" you in
August 21/2010: 'Inventory': Some users are reporting inventory items disappearing/being sent to others so it is advisable to keep valuables in SDB/gallery.
August 8/2010: 'Eye frame' based CGs: be wary of people that neomail you things like "I heard you might be interested. Check my gallery" or "check my trades" Some form of CG probably on lookup and in gallery.
August 8/2010: 2nd wave? CGs are on the move again. This time, encoding the CG code. Again, probably wont run correctly in firefox, but IE will execute it.
July 27/2010: RequestPolcy vs Noscript. Both or just one? More details on the requestPolicy addon has been added here. Also a glossary has been added too.
July 26/2010: What do if you're frozen added to useful links... With the new ticket system, getting an account back might not be so obvious. See below for more details. Link to an external NoScript Guide added in NoScript section.
July 25/2010: Filters Updated.... Yesterday, tnt has updated the filters. Opening and closed quotes are now required at every link. Offsite based CG links seem to be still happening however. But it's still progress.
July 21/2010: Request Policy FF addon.... TIPs on using this add-on correctly has been added! Please see here
July 20/2010: Jhudora.... Do not go to a site with jhudora in the name. It's a php/image based CG. They will say your lookup has been stolen, etc and that you should check it out, etc.
July 17/2010: REQUESTPOLICY FF Add-on: See below. *** This is a must! NoScript alone wont help you. *****
July 16/2010: On-site cookie grabbers: Yep Onsite cookie grabbers are back. The code is embedded directly in the shop itself. And noscript will probably not save you (because you would have whitelisted neopets.com and not doing so is against the toc) so it's best not to snipe at this time. This one is embeded within the width property of a style / tag.
It probably won't work on firefox browsers, etc, judging from its rather, invalid cod, but will run on Internet explorer.
July 12/2010: ARMOURED NEGG: Be careful of really cheap armoured neggs! A real one is masked underneath a fake armoured negg that links to a CG site. they show up normally on the wiz but cannot be bought if you click on it because of the invisble linked layer above it) But if you know how to edit the source code on-the-fly, you can still buy it to remove it from the ssw (so others wont get CGed). Don't attempt this unless you know what you are doing.
Table of Contents
A sample shop with CG
For more details on cookie grabbing on xss, please see the section on RequestPolicy.
cookies grabber in shops -
(Try the two browser trick - log into your account on two browsers. You can browse around on both for a bit. Now click logout on one, and your other browser gets logged out too.) Basically everyone gets kicked out.
The hacker, if inside your account, would be logged out too and in order to re-enter, would need
to decode the pw (if it's still encrypted within the cookie) to regain access. This is ample time for you to log back
in and change your pw. In most cases, it's easier for him to just move on to the next account in the list.
If you chose to pw change first, while you're doing it, the hacker would still have access.Trying to change your pw under pressure is no easy business. Time to log out = faster than (time to think of a new pw + change pw + entering it twice)
P.S. Clearing cookies don't work either. All it does is remove cookies from your own system. Not anywhere else.
1. Noscript- required
THE LONG AND THE SHORT OF IT: Don't forget to whitelist neopets.com and any other sites that you trust (like hotmail.com) (see attachment)
Neopets may freeze your account for cheating if you restock while disabling jscript. An easy way to check to see if you have properly configured it is (1) Install Noscript. Go to your inventory and click on an item. You will notice that nothing pops up. This means it is activated and scripts are being blocked. (2) Now configure as outlined below and check again. If the item description pops up, you're good to go!
If a page you rarely visit isnt working properly, temporarily allow it as shown below. More details and how to configure it on this page here
The NoScript Firefox extension provides extra protection for Firefox, Flock, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JScript, Java and Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the most powerful Anti-XSS protection available in a browser.
NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality...
You can enable JScript, Java and plugin execution for sites you trust with a simple left-click on the NoScript status bar icon (look at the picture), or using the contextual menu, for easier operation in popup statusbar-less windows.
Source: Noscript Homepage
2. FLASHBLOCK - strongly recommended
This allows you to selectively load adobe flash player objects. If you need flash to play games,
simply click the arrow to enable that object. This is allowed since most browsers don't even come with flash. Do not
whitelist neopets as one type of CG uses a redirection of http://images.neopets.com/flash_version_check_v1.swf? to steal cookies.
Tip: You should whitelist that video site :)
3. KEYSCRAMBLER - not required against xss
For protection against key loggers (programs that record everything you type) It's no use
changing your pw if every key you press is being sent to the "hacker
4. ADBLOCK - not required against xss
It allows you to block ads... STYLISH is good too (code to block ads coming soon) If you get a pop up ad, use CTRL+W
to close it. You definitely dont want to find yourself clicking close on a XP antispyware 2009 pop up ad. Those are the worst to get rid of.
THE LONG AND THE SHORT OF IT: IF A VALID PAGE is not showing up properly, right click an empty area of the page and whitelist blocked destinations that you TRUST. Do NOT select 'Allow requests from neopets.com' as this will allow everything on the page to get through, which defeats the purpose.Basically, this plugin can be used in its default state!
RequestPolicy is an extension that improves the privacy and security of your browsing by giving you control over when cross-site requests are allowed by webpages you visit.
Cross-site requests are requests that your browser is told to make by a website you are visiting to a completely different website. Though usually legitimate requests, they often result in advertising companies and other websites knowing your browsing habits, including specific pages you view throughout the day. Among the attacks that cross-site requests are used in, they are particularly dangerous with Cross-Site Request Forgery (CSRF) attacks where your browser is told to make a request to another website and that other website thinks you (the person) meant to make the request.
With RequestPolicy, the default for any cross-site request is to deny it. Users are notified when requests on the current page have been blocked (the status bar flag icon at the bottom right of your browser turns red). Clicking on this status bar flag icon gives you a menu where you can view and modify which requests are blocked and allowed. You can whitelist requests you approve of by origin site, destination site, or specific origin-to-destination.
Which kinds of requests are blocked? (source: requestpolicy homepage)
By default, any request the browser makes from the current site a user is on to a third-party site is blocked. Users can then whitelist specific sites (with various levels of granularity) to allow requests they approve of. The types of requests that are blocked include:
Content of the current page that is from a different site.
Various tags in an HTML page tell the browser that more content is needed to display the current page. Normally, the browser immediately makes requests to third-party sites to obtain this content. The content can include images, JScript files, style sheet files, and many others.
Redirections from the current site to a different site.
Redirects tell your browser to load an entirely different website address than the one you are on or requested. Redirections can be caused by JScript, META refresh tags, and Location headers.
Is RequestPolicy an alternative or competitor to NoScript?
NoScript is a tool that gives you a default deny policy for JScript, Java, Flash and other plugins. NoScript allows you to whitelist scripts and objects from domains you trust.
RequestPolicy is a tool that gives you a default deny policy for cross-site requests. RequestPolicy allows you to whitelist cross-site requests you trust.
How does RequestPolicy help you where NoScript does not? RequestPolicy will protect you from various attacks that NoScript will not (such as CSRF attacks, though there some special cases that NoScript protects against) and will give you greater privacy while browsing.
Also, RequestPolicy will give you finer-grained control over JScript and plugins when you use it with NoScript. For example, if you whitelist a domain with NoScript to allow it to run JScript, then that domain will also be allowed to run JScript when you are on any other site that you have whitelisted with NoScript. RequestPolicy makes sure that when it is JScript from a third-party site, it will still be restricted unless you have allowed those cross-site requests.
Conversely, NoScript gives you protection that RequestPolicy does not. RequestPolicy will not keep you safe from malicious JScript or vulnerable plugins on the current site you are visiting, So, NoScript is absolutely essential for browser security.
Having two separate tools that each do their specific jobs well is the best approach. NoScript is an amazing extension and is absolutely essential (like RequestPolicy) to using Firefox securely. It is best to use both RequestPolicy and NoScript.
http://www.neopets.com/~ShimmeringBliss (Stuff you should know about your account in case you need to get it unfrozen)
http://www.neopets.com/remacct.phtml (Self Ice Link)
http://www.neopets.com/~Skiizzy - CGing Traps and other warning signs to watch out for!
Neomail me if you know of any other pages that should be here -thanks!
From the NeoMallers Forums
If you used the ticket system, hopefully you did it correctly.
then click submit a ticket
select Account inquiries, click submit a ticket
Click My answer is not here
Select issue: Frozen Account.
Note: Use a SIDE account so you can see the response to your ticket
Food for Thought:Good Lightweight anti-spyware Tools:
1. Comodo Firewall This gets annoying at times, but I do not really find much use for this once you have requestpolicy+noscript
2. Super(r) Antispyware (use the portable version and reboot in WINDOWS SAFE MODE
for BEST effect if you are infected) - it's better than the actual program since it downloads with a random file name. Viruses love to disable the main program file of popular AVs like Norton and AVG.
To boot in safe mode:
Just about when windows displays the boot up progress bar/windows bootup logo, keep press F8 and select
Tip: Periodically press F8 when the computer manufacturer
Cookie: A cookie, also known as a web cookie, browser cookie, and HTTP cookie, is a piece of text stored by a user's web browser. A cookie can be used for authentication, storing site preferences, shopping cart contents, the identifier for a server-based session, or anything else that can be accomplished through storing text data.
Cross-site scripting (commonly known as CGing) holes are web application vulnerabilities that allow attackers to bypass client-side security mechanisms normally imposed on web content by modern browsers. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are therefore a special case of code injection.
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF ("sea-surf") or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[like neopets for example] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
For example, one user, Bob, might be browsing a chat forum where another user, Mallory, has posted a message. Suppose that Mallory has crafted an HTML image element that references a script on Bob's bank's website (rather than an image file), e.g.,
If Bob's bank keeps his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by Bob's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval.
A cross-site request forgery is a confused deputy attack against a Web browser. The deputy in the bank example is Bob's Web browser which is confused into misusing Bob's authority at Mallory's direction.
A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices which is configured to permit or deny computer applications based upon a set of rules and other criteria.
the lolz - with regards to this page