Be careful going to user lookups . . .
Sat May 26, 2007 6:03 am
Be careful, everyone. I was just reading a board in the battledome chat. A person with a two week old account, no shop and no stats was telling people to go to his userlookup. When they go, they lose about 250 nps with each refresh. I looked at the guy's source code for the lookup and he has a code in his lookup that automatically makes you purchase certain high priced stocks
By putting this in his background, he is getting people to buy stock that they might not want to buy. And though that might not seem so bad, it clearly shows that there is a security issue with the new user lookups. Because this person is making this so public, I am worried that others might get the idea to put this type of coding in their user lookups to do worse, like get a person to buy some overpriced thing from their shop or donate to the money tree. I reported it over an hour ago and yet no one has done anything. In fact, others on the board were laughing about it. Obviously they have never gotten hit by a CGer.
Anyway, if some person unknown to you asks you to go to their userlookup, you might want to pass until TNT fixes this.
Removed code just in case some other annoying person copies the idea
By putting this in his background, he is getting people to buy stock that they might not want to buy. And though that might not seem so bad, it clearly shows that there is a security issue with the new user lookups. Because this person is making this so public, I am worried that others might get the idea to put this type of coding in their user lookups to do worse, like get a person to buy some overpriced thing from their shop or donate to the money tree. I reported it over an hour ago and yet no one has done anything. In fact, others on the board were laughing about it. Obviously they have never gotten hit by a CGer.
Anyway, if some person unknown to you asks you to go to their userlookup, you might want to pass until TNT fixes this.
Removed code just in case some other annoying person copies the idea
Sat May 26, 2007 7:26 am
Well thats just rather awful isn't it? What kind of sick twisted person has that much time on their hands?
That being said. Everyone go to my user look up... it's 123FOOLEDU321
That being said. Everyone go to my user look up... it's 123FOOLEDU321
Sat May 26, 2007 7:30 am
Well, since Neo wasn't doing a thing about it, I posted about it on charter chats. I think that helped to get staff's attention beause i got a lot of response to it. And my guess is that some of those people also reported him. The guy's board was deleted and the coding is out of his userlookup, But he isn't frozen. And one would guess that they haven't patched the hole yet. So this could happen again. Hopefully, the programmers will get wind of it and fix it soon.
I don't want to cause mass hysteria, but then again, I have been hit by a CGer in the past, and so I am now a little gun shy when people take it upon themselves to mess with coding.
I don't want to cause mass hysteria, but then again, I have been hit by a CGer in the past, and so I am now a little gun shy when people take it upon themselves to mess with coding.
Sat May 26, 2007 12:03 pm
Maybe the person with that code in their lookup had been mailing TNT about the problem, didnt see it fixed yet, and so stuck the code in for a fast response. Something like "hey, I told you it could happen! Fix it now!" Or they just felt like being annoying. Either way, I hope it gets fixed quickly, and thanks for the warning.
Sat May 26, 2007 12:15 pm
Cerise wrote:Maybe the person with that code in their lookup had been mailing TNT about the problem, didnt see it fixed yet, and so stuck the code in for a fast response. Something like "hey, I told you it could happen! Fix it now!" Or they just felt like being annoying. Either way, I hope it gets fixed quickly, and thanks for the warning.
That could very well be.
But that doesn't countenance him directing innocent users to his lookup. Yeah it was reported, but other people have to deal with it.
It's things like these that keep me from visiting any lookup.
Sat May 26, 2007 2:20 pm
Hmm I wonder what kind of coding he used for it. I wasn't aware that you could put anything but HTML in the box but I guess not.
Sat May 26, 2007 4:37 pm
Removed code just in case some other annoying person copies the idea
Whichever mod did that, thanks! It was extremely late last night when I posted this and I wasn't thinking. For anyone interested in what kind of coding it was, the person put coding in their user look that automatically forced a person to buy a certain number of shares of a certain stock.
Cerise wrote:Maybe the person with that code in their lookup had been mailing TNT about the problem, didnt see it fixed yet, and so stuck the code in for a fast response. Something like "hey, I told you it could happen! Fix it now!"
Doubtful. The account was two weeks old with one pet, no shop and barely any stats (games played=1, avs=3, bd fights=0). This wasn't a long term player who saw a problem in coding. This was either someone with a warped sense of humor or someone who might be testing the waters and planning bigger and badder things. *shudder*
Sat May 26, 2007 7:05 pm
So if you didn't have enough neopoints on hand to complete the transaction, would it still go through?
Sat May 26, 2007 8:18 pm
Erin wrote:So if you didn't have enough neopoints on hand to complete the transaction, would it still go through?
No, it didn't go through if you didn't have the cash on hand. It also wouldn't go through if you had purchased your maximum share of stocks for the day. So, best advice, I guess, if you are going to an unknown user's lookup is to make sure you have 0 nps on hand. At least til Neopets fixes this. When I reported this, I indicated that someone needed to alert a programmer about this hole in their security system. I also have written a few people who have connections with TNT staff members, including a programmer or two, so hopefully it will get fixed soon.
Sun May 27, 2007 12:24 am
I haven't seen the exploit code, so out of curiosity... Is this one of those things that could have been prevented with one of those "Oops! You were directed to this page from the wrong place!" screens?
Sun May 27, 2007 12:30 am
AySz88 wrote:I haven't seen the exploit code, so out of curiosity... Is this one of those things that could have been prevented with one of those "Oops! You were directed to this page from the wrong place!" screens?
I will PM you.
Sun May 27, 2007 1:51 am
Oh wow, what will people think of next. 
Thanks for the heads up. I tend not to go to the lookups of people I don't know unless I can help it. Still, you'd think that with all this revamping that TNT would have checked for gaps like this...
Thanks for the heads up. I tend not to go to the lookups of people I don't know unless I can help it. Still, you'd think that with all this revamping that TNT would have checked for gaps like this...
Sun May 27, 2007 2:00 am
Kurisutaru wrote:Still, you'd think that with all this revamping that TNT would have checked for gaps like this...
Yeah, that was sort of my thought when I saw it. Like uhhhmmm, you all knew this could happen so why didn't anyone figure it out beforehand. Sad that a user has to bring it to the attention of the programmers.
Sun May 27, 2007 2:16 am
On the bright side... at least it didn't benefit the person at all. The nps didn't go to them and share prices go up and down irrespective of how many people buy stocks.
Sun May 27, 2007 2:53 am
This particular exploit has been patched, it seems. To see the error message, try to include "<a src=asdf>" in your profile (don't bother to enter your current password, so it won't go through if something goes wrong) and try to submit.
I kinda think, though, it is partly a problem with the process_stockmarket page, maybe more a problem with it than anything else. There could be some use for allowing that sort of functionality in the process_stockmarket page - for example, you can do one-click-buy links from a spreadsheet or something. But there's already a way to pre-fill the name of the stock on the buy page - for example, http://www.neopets.com/stockmarket.phtm ... icker=ACFI - so there really isn't any need to one-click-buy stocks from any external place, and would have prevented holes like this from taking advantage of it.
I get the feeling that playing Buried Treasure and the Fire All Workers link of Plushie Tycoon would have the same problem if someone tried it. Can't try it now, of course.
[edit] clarify
I kinda think, though, it is partly a problem with the process_stockmarket page, maybe more a problem with it than anything else. There could be some use for allowing that sort of functionality in the process_stockmarket page - for example, you can do one-click-buy links from a spreadsheet or something. But there's already a way to pre-fill the name of the stock on the buy page - for example, http://www.neopets.com/stockmarket.phtm ... icker=ACFI - so there really isn't any need to one-click-buy stocks from any external place, and would have prevented holes like this from taking advantage of it.
I get the feeling that playing Buried Treasure and the Fire All Workers link of Plushie Tycoon would have the same problem if someone tried it. Can't try it now, of course.
[edit] clarify