Vulnerability in IE7 and Firefox 2 (cookie-grab possibility)
Fri Feb 16, 2007 3:08 am
Quick and simple version:
There are two (different) bugs in IE7 (and lower) and Firefox 2.0.0.1 (and lower). They each end up producing similar security holes. The IE7 bug is new, the Firefox one is older (but was never fixed).
If you type things into a malicious site's form, they can divert some of the keystrokes to somehow trick the browser into thinking you want to send a file from your computer. It looks like you have to type in the right letters to spell out the name of the file. I wouldn't type in any untrusted sites' forms if I were you, at least until the holes are patched.
There are already demos out, so I expect copycats soon.
The moral is don't type anything into any online form you don't trust.
There's a second bug in Firefox that looks like it can pretend to be another site and write cookies, but not read them.
I think Neopets cookies have non-random names and are vulnerable, but I'm not sure. This also might have been what sparked the "bind login info to IP" change (if that's what TNT did - I'm not clear on the details). But this obviously extends past Neopets cookie-grabbing - be careful!
News article: http://blogs.zdnet.com/security/?p=37
NOTE: THE DEMOS THE ARTICLE LINKS TO ARE SUPPLIED BY THE HACKER, NOT ZDNET - do not try them unless you trust him/her.
For those who are too paranoid to click on the news article:
There are two (different) bugs in IE7 (and lower) and Firefox 2.0.0.1 (and lower). They each end up producing similar security holes. The IE7 bug is new, the Firefox one is older (but was never fixed).
If you type things into a malicious site's form, they can divert some of the keystrokes to somehow trick the browser into thinking you want to send a file from your computer. It looks like you have to type in the right letters to spell out the name of the file. I wouldn't type in any untrusted sites' forms if I were you, at least until the holes are patched.
There are already demos out, so I expect copycats soon.
The moral is don't type anything into any online form you don't trust.
There's a second bug in Firefox that looks like it can pretend to be another site and write cookies, but not read them.
I think Neopets cookies have non-random names and are vulnerable, but I'm not sure. This also might have been what sparked the "bind login info to IP" change (if that's what TNT did - I'm not clear on the details). But this obviously extends past Neopets cookie-grabbing - be careful!
News article: http://blogs.zdnet.com/security/?p=37
NOTE: THE DEMOS THE ARTICLE LINKS TO ARE SUPPLIED BY THE HACKER, NOT ZDNET - do not try them unless you trust him/her.
For those who are too paranoid to click on the news article:
Ryan Naraine @ 12:31 pm Feb 15 2007 at ZDnet wrote:Firefox and Internet Explorer users beware: There are serious, unpatched flaws in both browsers that could allow the manipulation of authentication cookies and the hijacking of files from your Windows machine.
Details on both vulnerabilities have already been posted to the Full Disclosure mailing list by Polish researcher Michal Zalewski. SecurityFocus provides coverage of the issue, which dates back to 2006.
According to Zalewski, a well-known hacker credited with several major flaw discoveries, there are two very different issues affecting Firefox and IE 7.
First up is a brand-new IE 7 bug that could be used to divert keystrokes from Web-based games, blog entries and comment forms, online chats. In certain scenarios, an attacker could exploit the flaw to read sensitive local files on a computer. "Some user interaction is required, but only to an extent commonly expected on some popular Web site. XSS attacks make it far worse," Zalewski said.
Click here for an online demonstration of the IE 7 (and prior) vulnerability.
Firefox 1.5 and 2.0 users can test for the flaw here.
Separately, Zalewski also warned about a new bug in the way Firefox handles writes to the 'location.hostname' DOM property. The bug could allow for the browser to appear as if were connecting to a bank, when in fact it would instead be receiving data from a bad guy, according to a note on the F-Secure blog.
Click here for a demo of the Firefox 2.0.01 bug, which requires JavaScript. Mozilla's security response team is already working on a patch.
[UPDATED: February 15, 2007; 6:17 PM Eastern] Just received this note from the Microsoft Security Response Center:
Microsoft's initial investigation reveals that an attacker could gain access to user files if the location of a given file is already known. In order to be successful, an attacker in advance would have to convince the user to enter the location of a file into an attacker's Web page through social engineering. Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers.
Fri Feb 16, 2007 3:48 am
And yet another good reason that turning Java Script OFF (even when perusing Neopets) is a good habit to acquire. Sometimes I copy my password into Neopets and then go to copy something else from Clipboard -- and it doesn't always work, therefore the last thing I pasted is entered instead of the new term I wanted. And before anyone uses the word "cheating", I might remind you that there will always be a small percentage of True Cheaters and True Scammers. I don't believe that one can measure 'unfair advantage' by such that will always exist in the smallest minority. (In other words, if there were absolutely zero cheaters/scammers all of a sudden, do you really think the rest of us would even notice?) Just because one is protecting oneself from a security flaw or exploit, and so long as Neopets doesn't have a universal browser, I think even Lawyerbot would agree it is not wrong to allow JS to be off. Just don't go restocking on my advice. TNT can, with their skewed Terms & Conditions, basically do anything they want at any time at their 'discretion.' 
And once again disappointed in Firefox, where most people don't even get paid to fix stuff; instead must have a strong sense of allegiance to encourage such.
And once again disappointed in Firefox, where most people don't even get paid to fix stuff; instead must have a strong sense of allegiance to encourage such.
Fri Feb 16, 2007 5:11 am
anjuna wrote:...Just because one is protecting oneself from a security flaw or exploit, and so long as Neopets doesn't have a universal browser, I think even Lawyerbot would agree it is not wrong to allow JS to be off. Just don't go restocking on my advice. TNT can, with their skewed Terms & Conditions, basically do anything they want at any time at their 'discretion.'
This excerpt is rather bizarre to me. Please don't spread fear or confusion by suggesting that TNT might freeze you for disabling Javascript. That makes people hesitate from doing whatever they think is necessary. Disabling Javascript should be perfectly fine. (If you're just trying to find reasons to attack TNT, please don't do that either.)
If, by now, you actually *are* afraid of being frozen, you should be able to mark Neopets as a trusted site and enable Javascript for only trusted sites.
(And why wouldn't people support open source for the sake of open source? And I would pick a different website to illustrate Firefox myths - that one you picked is rather sensationalist and cherry-picky (i.e. the easter egg = "Mozilla religion" nonsense); plenty of reputable experts have distinguished and analyzed the real myths.)
Fri Feb 16, 2007 5:29 am
Opera, Konqueror and Safari are ofcourse unaffected. 
Fri Feb 16, 2007 5:36 am
AySz88 wrote: Please don't spread fear or confusion by suggesting that TNT might freeze you for disabling Javascript. That makes people hesitate from doing whatever they think is necessary. Disabling Javascript should be perfectly fine. (If you're just trying to find reasons to attack TNT, please don't do that either.)
If, by now, you actually *are* afraid of being frozen, you should be able to mark Neopets as a trusted site and enable Javascript for only trusted sites.
This was recently stated in the Neopian Times editorial (issue 275) about Javascript, so I don't think Anjuna was spreading fear or confusion whatsoever.
I have recently noticed many restockers get iced. When restocking if you have JavaScript disabled is that considered cheating? ~zlqqlz
Yes, disabling JavaScript or images while restocking is considered giving yourself an unfair advantage over other players, and is not allowed. Even though it's a browser function and not a 3rd party cheat, it's still not allowed. Just like opening 100 window tabs and hitting "refresh all" trying to get Random Events will get you frozen faster than you can say, "Geraptiku" (or figure out how to pronounce it; one or the other). Don't get paranoid, though! If you don't know if you disabled JavaScript, you most likely haven't. This question probably doesn't apply to 99.87% of you, so don't fret about it if you have no idea what we're blithering about here.
Fri Feb 16, 2007 5:42 am
Morningstar wrote:...
This was recently stated in the Neopian Times editorial (issue 275) about Javascript, so I don't think anyone was spreading fear or confusion whatsoever....
Hmm, sorry about that then; it was rather nastily worded though, and I hope you'll understand me thinking it was more an attack against TNT than a good-faith tip.
Fri Feb 16, 2007 6:16 am
AySz88 wrote:Morningstar wrote:...
This was recently stated in the Neopian Times editorial (issue 275) about Javascript, so I don't think anyone was spreading fear or confusion whatsoever....
Hmm, sorry about that then; it was rather nastily worded though, and I hope you'll understand me thinking it was more an attack against TNT than a good-faith tip.
Oh, don't worry, AySz88, I do understand. Honest I do. And I hope you didn't think I was attacking or trying to one up you. I just remembered reading about it recently so I wanted to share Neo's thoughts on it. It is still unclear as to whether disabling Javascript is against the rules altogether or just not allowed when a person is restocking. They don't really come right out and say it in black and white. But you might get that feeling if you read between the lines. From reading the chat boards and forums of other Neo fansites, I have seen that many people are confused and a little afraid about what they can and cannot do with respect to browser functions. And, hey, I stand right beside you on one very big issue: It isn't nice to attack TNT. And, gosh, just read a few of my recent backposts and you will see what I mean.
EDIT: And hey, thanks for bringing these vulnerabilities to our attention. It is really great to see people who are kind and caring enough to alert their fellow members to the ever-increasing dangers on the internet. I will spread the word about this to my guild members. So, you deserve a great big thanks because you might just save someone from possible harm. ((hugs))
Fri Feb 16, 2007 6:25 am
No need to defend Firefox. Those coming from non-Windows based systems may have a decent 'argument' (not that I see it as an argument). Yes, I was posting dual sentiments based on a recent Editorial (that most users might not even read, furthering my subtle point).
If you want to argue about FF, PM me lol. Otherwise, I have the overgeneral opinion that most (native-Windows using) FF users were 'scared' to such by IE exploits, and the rest of us .. well, we learned from such exploits. Nothing is that safe forever. Always keep on top.
Most people were 'born into' a Windows environment. Either one adapts and learns, or can run away to the shelter of something 'feeling safer' (once again I state I am overgeneralizing) whilst knowing nothing about it.
I am personally happy when someone identifies a weak area of security. They are smart and bold enough to speak about it to protect the rest of us.
And by the way, the link in my previous post came from a devout FF user. I don't have the desire to defend my browser like y'all do. But if I did I could cite several better, I am sure.
And just so you know this was not a personal (or impersonal) attack, I must say I respect you, AySz88, for coming forth to tell us all.
EDIT: And just for the 'legal' record, Terms do not have to be stated in black and white, else .. well, else legal code would be .. still be being written. BUT some EULAs and Terms and Conditions are like 'really bad contracts.' If you want to exercise and protect your rights, know them.
If you want to argue about FF, PM me lol. Otherwise, I have the overgeneral opinion that most (native-Windows using) FF users were 'scared' to such by IE exploits, and the rest of us .. well, we learned from such exploits. Nothing is that safe forever. Always keep on top.
Most people were 'born into' a Windows environment. Either one adapts and learns, or can run away to the shelter of something 'feeling safer' (once again I state I am overgeneralizing) whilst knowing nothing about it.
I am personally happy when someone identifies a weak area of security. They are smart and bold enough to speak about it to protect the rest of us.
And by the way, the link in my previous post came from a devout FF user. I don't have the desire to defend my browser like y'all do. But if I did I could cite several better, I am sure.
And just so you know this was not a personal (or impersonal) attack, I must say I respect you, AySz88, for coming forth to tell us all.
EDIT: And just for the 'legal' record, Terms do not have to be stated in black and white, else .. well, else legal code would be .. still be being written. BUT some EULAs and Terms and Conditions are like 'really bad contracts.' If you want to exercise and protect your rights, know them.
Sat Feb 17, 2007 2:15 am
Hmmm... I think I'm getting Opera now.
Wed Feb 21, 2007 3:40 am
I'm not sure how certain they are, but there are <s>whispers</s> rumors that Opera might also be susceptible to the same attack.
edit: (Claim retracted by GNUCitizen.)
edit: (Claim retracted by GNUCitizen.)
http://www.pcmag.com/article2/0,1895,2096640,00.asp wrote: A separate analysis by GNUCitizen.org shows that the Opera browser may also be susceptible.
Last edited by AySz88 on Fri Feb 23, 2007 10:42 pm, edited 1 time in total.
Wed Feb 21, 2007 3:59 am
AySz88 wrote:I'm not sure how certain they are, but there are whispers that Opera might also be susceptible to the same attack.http://www.pcmag.com/article2/0,1895,2096640,00.asp wrote: A separate analysis by GNUCitizen.org shows that the Opera browser may also be susceptible.
Bad journalism from PCmag.com and bad research from AySz88, but no offense / nothing personal.
1) Whispers implies multiple, independent personae who claim this. Who else (who has knowledge about browsers) claims this?
2) If you'd scroll down at the URL you'd read: "OK folks, I cannot reproduce the bug in Opera, although sometimes I get the feeling that it is possible. It seams that Opera is in fact the most secure browser, or maybe I am wrong." (this is from the author of the blog Gnucitizen).
3) There is no proof of concept for Opera; there is for IE and FF.
4) FWIW: I read elsewhere, Opera does not have a certain feature related to 'focus' which is related to what is exploited here. I don't recall where I read this though.
Thu Feb 22, 2007 3:24 pm
I read this on Teletext yesterday I didn't (as usual) understand a word of it so thanks for posting it here with a proper explaination. ^^
Personally, I'm getting rather sick of this. I don't do anything really important on my computer and nor do my parents - the only really money-based thing my parents do is occasionally shop... but even that is in frequent and with only two websites where we get emails if we buy anything. We don't bank or anything like that. Only thing anyone would be interested in is Neopets. I have Internet Explorer 5.5 I believe and don't really see any point in updating it. There are always going to be holes in programs hackers exploit and if there sole purpose is to get into someone's account on Neopets... I pity them. ¬.¬ I just don't see any point in updating just because of Neopets (in my case). These cookie grabbing attempts are just putting me off the site more and more now. Neo just isn't worth this worrying anymore... in the past maybe, but now?
Meh. Thanks for the heads up though. ^^ Only site I type anything into that I don't really trust are random FanListings.
Personally, I'm getting rather sick of this. I don't do anything really important on my computer and nor do my parents - the only really money-based thing my parents do is occasionally shop... but even that is in frequent and with only two websites where we get emails if we buy anything. We don't bank or anything like that. Only thing anyone would be interested in is Neopets. I have Internet Explorer 5.5 I believe and don't really see any point in updating it. There are always going to be holes in programs hackers exploit and if there sole purpose is to get into someone's account on Neopets... I pity them. ¬.¬ I just don't see any point in updating just because of Neopets (in my case). These cookie grabbing attempts are just putting me off the site more and more now. Neo just isn't worth this worrying anymore... in the past maybe, but now?
Meh. Thanks for the heads up though. ^^ Only site I type anything into that I don't really trust are random FanListings.
Fri Feb 23, 2007 10:35 pm
allnameswereout wrote:1) Whispers implies multiple, independent personae who claim this. Who else (who has knowledge about browsers) claims this?
Heh, I'd say the word implies multiple but not necessarily independent, and PCMag/CNet and GNUCitizen are two sources, so that's "whispers". :p (I also meant whispers in the "rumors" sense, not the "inside info" sense, if that was where the confusion was.... I've also noted the GNUCitizen retraction in my original post.)