The All Clear?

[TDG]

If I understand correctly, even if they encrypt the cookie, the cookie grabber (the person, not the programme) can still access your account by putting the cookie into their own cookie folder, fooling their computer into thinking the CGer had logged into Neopets.com.

Anywho, apparantly it's not over yet. From IDB's forums...

Bumping this up because it seems the cookie grabbing is in full swing yet again...and my brother was careless enough to get cged :[
Be careful...

[Officer 1BDI]

Grah. I've been browsing shops and petpages of BC contestants all day. I don't think I ran into anything malicious (there was a petpage that looked improperly coded, but I think that was just a user-error. I changed my word just in case) but this is certainly not what I wanted to hear.

I just wish TNT would actually tell us what's going on. I don't care if they're trying to prevent a site-wide panic; a lot of unaware users are going to walk right into this problem if no one brings their attention to it. And as much as I trust the people here, I'd really feel more assured if TNT came out and told us when the problem's fixed, let alone that there's a problem at all.

[Pudding]

I just wish TNT would actually tell us what's going on. I don't care if they're trying to prevent a site-wide panic; a lot of unaware users are going to walk right into this problem if no one brings their attention to it. And as much as I trust the people here, I'd really feel more assured if TNT came out and told us when the problem's fixed, let alone that there's a problem at all.

I completely agree. The thing is, the whole situation comes off as being way worse if they don't say anything about it. With things as they stand it feels like they're doing nothing, when that's presumably not true. There's no message from them on any of this, and that's a little worrying.

[everconfused]

What I don't understand is... How the hell can things like this even affect the Neopets site. The cookie grabber comes along, and surely (if Neopets has any sense) it will grab a hashed password; not a password. And surely (again, if Neopets has any sense), their hash will be unbreakable, and therefore, you should just have to brute force it for any collisions, hich will take as long as just brute forcing the entire password anyway...

You can probably still masquerade as the user by planting the cookie on your own computer. I'm sure the Neopets server doesn't remember users based on IP......there's no way to query MAC address right?

Also, I think I heard that it's possible to store all hash possibilities of a 7-letter password into a hard drive and break it. A quick calculation with (26^7*8 / 2^30) produces searching through something like 60 GB - certainly not impossible to do.

I doubt the cookie contains a hash of just the password though - they probaby hash something like username-date-time-randomintegers and store that into the cookie and a their own local database.

Apparently, for whatever reasons, the Neo cookies may or may not be "hashed", as someone claiming to be this kaos character said that a very famous neopian's "hash" was too long to try to break. That said, I don't know if that's something on Neo's end or the user (somehow).

BTW, if you just go to the site, don't log in even, then go look at the cookie, your IP addy IS there in the first line and again later in amongst all the other I don't know what they mean numbers. And it's been proven that Neo can and does track IP addresses. And the username is in the cookie if you log in. Now I did log in briefly on a side account - I cleared cookies after but not temporary internet. There's ALOT of xml and jscript stuff that I'm going to guess someone with the knowledge "might" be able to manipulate. I can't tell what's ads and what could be malicious - which most users wouldn't except for the obvious adcom, servedby, etc. I don't know what jsl.revsci.net is, but it's a JScript and crossdomain is an xml file. I'm soooo non-technical.

I don't know, there were boards earlier saying something about people somehow using "quick links" to peoples' SDB. If you go to your SDB on your own, you're fine. But (I don't get this at all) if you followed a link from a lookup, board, etc. saying it was a shortcut it somehow ended up being a CG via an iframe. Something like that. I was totally lost on the whole thing.

People are saying that Neo should just clear everything that can be personalized - lookups, petpages, pet descriptions, shops, galleries. That seems extreme, IMHO. I thought in order to plant a cg, the extension had to be .cgi and that would be easily banned. And according to a staff member, the cgs last week were disabled.

But as I was lurking on a couple of boards earlier I saw some really bizarre posts from older accounts and the person posting claiming that they'd hacked the accounts. Something needs doing. Accounts are being compromised, apparently without ever leaving the site. Premium members have been hacked and their personal info taken and compromised. It's quite sad that many of us are now afraid to go to a lookup, a petpage or even a user shop and some are madly changing passwords at least once a day.

All I know is IE and FF are affected, going by the posts I've read. The Microsoft fix apparently had nothing to do with whatever's going on on the site.

Bottom line ... as with all other glitches and problems, don't expect TNT to put anything in the news or anywhere else. Maybe a reminder to change your password regularly like after the weekend of 4/4 - which took them how long to post? Otherwise, they'll stand by their claim that the site's never been hacked and if anything happens to your account it's your problem, not theirs.

[Skynetmain]

I'm not saying this is true, but what are the odds that this is really over, for now, and that the people claiming they got robbed/hacked/cracked/etc while on Neopets are lying or got robbed/hacked/cracked/etc at another site? I'm just saying that Neopets could be perfectly safe, for now, and these new claims are bull, and the claimers are just out for attention. All of this could be bull too, but I'm just theorizing. (I used 'for now' because someone will always find a way to breach the security).

[everconfused]

Sky, I have to agree with you with at least some of the people suddenly claiming to have been hacked/cg'ed. Once it happens to a few people, suddenly there's a flood of Waah, I just got robbed ... the ones trying to beg for items.

But there've been a few bigger, "known" accounts that apparently got hit and I can't for the life of me think of a reason why they'd post saying this happened to them if it didn't.

The SBD thing I'm lost on and to be honest, skeptical of. It just doesn't make any kind of sense to me. Then again, neither does duping things except to just cause craziness, which that did quite well.

[Cranberry]

The SDB thing makes sense and honestly is pretty scary! Dolphinling explained it to me, and I think he's going to post here and explain it for everybody. But it is still going on, so don't click any links strangers give you (even if they say it's to a beauty contest picture or something), and stay away from petpages and 'quick links" on websites, too.

[dolphinling]

Okay, I finally have info on what this is all about.

The PHP for the Safety Deposit Box has a bug. It will accept extra search parameters (the things after the ? in the url), and manipulating that a certain way can get javascript in the SDB page.

Normally this is a problem because neopets never would abuse it themselves. However, if you click on a link to your sdb, the person who wrote the link can add that extra parameter. More dangerously, they can force you to visit it by putting it in an iframe on an external site, and tricking you into going there (i.e. view my screenies here!!).

So as of now, don't visit any sites you don't trust, and don't click any links without checking them thoroughly, or log out of neopets first.

I'm currently checking to see if there would be a way to protect yourself in firefox. If I find anything, I'll post.

Edit: To be more clear, the links would send you to your own SDB, but with extra javascript on the page added by whoever sent you the link. That javascript would be what gave your cookies to the Evil Person.

Edit:
You can protect yourself!

For this to work, you must have Firefox and adblock. I use Adblock Plus and Firefox 1.5, other versions may work, but I don't guarantee them.

First, open your Adblock Preferences.
Then click on Adblock Options.
Choose Site Blocking / Whitelisting.
Insert the following things:
*neopets.com/safetydeposit.phtml
*neopets.com/challenges/world_chall.phtml
Make sure to click Add and Ok (not cancel!).

This will block your safety deposit box from loading at all. If you need to take something out, temporarily disable the blocking.

This should block the attack. There's no warranty or anything, but I created it and I'm using it myself.

Edit: It's not just the SDBs that have this problem. I'll be updating this post with any new things that need to be blocked.

Last edited by dolphinling on Mon Jan 09, 2006 9:21 am, edited 3 times in total.

[everconfused]

Bows before dolphinling's 1337 knowledge Really! Someone tried explaining the SDB thing to me and I was beyond confused by the time they finished.

I was just like, ok, bottom line, if you need to go to your SDB, go there directly, do not click or follow any links from anyone else, right? The person said yes, that that was the safe way.

I guess what I don't understand is why anyone would follow a link from someone else to their own SDB.

That aside, with everything - the cg on lookups, petpages, shops, galleries; the insanely annoying blank page/double posting/items lost in space because the little pop-up window goes blank/portal doesn't want to load/pages in general don't want to load super lags;
an exploit that can and apparently has been taken advantage of in users SDBs (and what's next?);
the problems many premium members are having where they're suddenly premium-less, whether or not they're using paypal or credit card, paying monthly or yearly;
petpet lab access disappearing randomly;
whatever else you can think of (it's late here) ...

The site, IMHO, needs to be taken down for at least a day and worked on. I mean thoroughly worked on, any security holes/potential exploits fixed, the lag taken care of - update/add servers or whatever it takes. Yes I know, that takes money and having the site down means less money from advertisers. But in the long run, a smooth running, safe site will keep members. Or they can continue with seeming to not care and doing these hasty, only works for one specific problem fixes, allowing the lags and glitches and keep losing people. What's going to ultimately bring more revenue to the site and the site's merchandise. It's a no-brainer to me.

[dolphinling]

I guess what I don't understand is why anyone would follow a link from someone else to their own SDB.

It's very easy to get someone to follow a link. In my "how to prevent it" thing just above, I could have said "I made a page explaining how to prevent it here", and I guarantee I'd have 20 accounts of people that didn't look at the link url in just minutes. And it's worse than that.

If you view some other page that's not on neopets, the owner of the page could put an iframe on, with a src of the SDB. That iframe would load the SDB without you doing anything, and without you being able to stop it, and, if the person is smart, without you even knowing. That means that even if you look at urls and don't click on ones to your SDB, you're still not safe.

The only way to be safe is to not go to any sites you don't trust, to log out, or to stop the SDB page from loading as I posted a method for above.

[everconfused]

dolphinling, have you sent this information to TNT? This is very disturbing.

I'm going to assume (please correct me if I'm wrong) that if you: don't leave the site while logged in; go to your SDB directly - not following any links except from the main Shops page; if you do want to go anywhere else you log out of Neo first, clear your internet info (cookies, etc.), then clear everything again after you visit any other site ... you should be safe?

That's basically how I and the other people using this computer surf. I have it set up so as soon as you close FF everything gets cleared and only use IE basically for going to windows update.

[Skynetmain]

Two questions:
1) Would someone have to have with Neopets knowledge to go after the SDB like described above, or could that just be grabbed in a random attack?

2) How long does it take for password requests to get sent out? I just got an e-mail saying I requested one and immediately changed it. I remember requesting one months ago and never getting a reply, but I'm still paranoid. I never go to any strange/non-corperate/not-recommended-by-a-trusted-source sites. I've only seen the inside of an unknown usershop/lookup/etc three times this year, none in the past week, and all had only basic, NP issue stuff inside. Should I still be paranoid since nothing else is out of the ordinary, or I am I right to freak out?

[dolphinling]

dolphinling, have you sent this information to TNT? This is very disturbing.

Not yet, but at least one other person (the person I got the info from) has, and I will soon.

I'm going to assume (please correct me if I'm wrong) that if you: don't leave the site while logged in; go to your SDB directly - not following any links except from the main Shops page; if you do want to go anywhere else you log out of Neo first, clear your internet info (cookies, etc.), then clear everything again after you visit any other site ... you should be safe?

Yes--but for many people it's hard not to follow links. I know I would forget and click things. If you think you might mess up, it's best to use the blocking method I showed.

Two questions:
1) Would someone have to have with Neopets knowledge to go after the SDB like described above, or could that just be grabbed in a random attack?

Not quite sure I understand this... The person creating the attack would have to have at least a bit of neopets knowledge, yes. But if they didn't know anything about neopets, why would they be taking your stuff anyway? If that's not what you mean, try restating it?

2) How long does it take for password requests to get sent out? I just got an e-mail saying I requested one and immediately changed it. I remember requesting one months ago and never getting a reply, but I'm still paranoid. I never go to any strange/non-corperate/not-recommended-by-a-trusted-source sites. I've only seen the inside of an unknown usershop/lookup/etc three times this year, none in the past week, and all had only basic, NP issue stuff inside. Should I still be paranoid since nothing else is out of the ordinary, or I am I right to freak out?

I can't answer this, sorry

[stampsyne]

2) How long does it take for password requests to get sent out? I just got an e-mail saying I requested one and immediately changed it. I remember requesting one months ago and never getting a reply, but I'm still paranoid.

The good news is this should not in any way request your password from neopets. The bad news is that they would not need to because the cookie grabber would already tell them.

[dolphinling]

dolphinling, have you sent this information to TNT? This is very disturbing.

Not yet, but at least one other person (the person I got the info from) has, and I will soon.

I'm going to assume (please correct me if I'm wrong) that if you: don't leave the site while logged in; go to your SDB directly - not following any links except from the main Shops page; if you do want to go anywhere else you log out of Neo first, clear your internet info (cookies, etc.), then clear everything again after you visit any other site ... you should be safe?

Yes--but for many people it's hard not to follow links. I know I would forget and click things. If you think you might mess up, it's best to use the blocking method I showed.

Two questions:
1) Would someone have to have with Neopets knowledge to go after the SDB like described above, or could that just be grabbed in a random attack?

Not quite sure I understand this... The person creating the attack would have to have at least a bit of neopets knowledge, yes. But if they didn't know anything about neopets, why would they be taking your stuff anyway? If that's not what you mean, try restating it?

2) How long does it take for password requests to get sent out? I just got an e-mail saying I requested one and immediately changed it. I remember requesting one months ago and never getting a reply, but I'm still paranoid. I never go to any strange/non-corperate/not-recommended-by-a-trusted-source sites. I've only seen the inside of an unknown usershop/lookup/etc three times this year, none in the past week, and all had only basic, NP issue stuff inside. Should I still be paranoid since nothing else is out of the ordinary, or I am I right to freak out?

I can't answer this, sorry


Very big edit:

It's not just the SDB that has this problem. I have found one other place that the code can be entered, and am searching for more (and expect to find them). If you're using my blocking method with adblock, please go back to my original post and update the things you need to add, and check back often to see if it's updated.

If you don't feel like that, I really suggest logging off neo until it's fixed, or using a side account you don't care about. This really is happening, and could easily happen to you, even if you think you're being careful.