Pink Poogle Toy Forum

Sometimes,a pop up will pop up for a sec.,then disappear

That makes little to no sense, to me at least. Firstly, although Neopets does store your password in a cookie, it is not plaintext. It is in a md5 hash. Again, although those can be cracked, you'd need quite the computer to do it quickly.

But, even if it is possible to do such a thing, it is the most roundabout way of getting your (Neopets) password imaginable. The program could just as easily open internet explorer, and just act as you online. Or if it really wanted your passowrd, it could jsut detect your key strokes, and send them back to the script writer.

To go through the hassle of cracking the hash is completely unnecessary once you have a rogue program on somebody's computer.

I hope that made sense.

I tend to think that is an urban myth, because I can't imagine a scenario where a pop-up would be required to perform any sort of javascript. A pop-up may be required when debugging, but not in actual production code. Of course, I could be incorrect, but so far I've heard little evidence this is actually a symptom besides hearsay.

They are banned. If they weren't, far worse things could be done.

Believe it or not, I have done that in the past. I reported a huge vulnerability in the shop code, which would be self-replicating. That is, when you visit my shop, your shop now has the same code, and anybody who visits your shop is now infected as well. Included in that code was a cookie grabber.

I basically got no response from The Neopets Team for quite a while. After two months, they finally fixed it, and the result is the system we currently have in place, where all non-compliant HTML is not allowed.

So, no, just because you do the right thing does not mean you will be a "hero".

When this first started happening last December, people who were grabbed had pop-up boxes on the page that the CG was embedded. When I got cookie grabbed in January--on the day when this person hit lots of big name players and even a monitor, I was directed to a fake front page. So, if you were around here last year at this time and saw the threads and topics on this--here on PPT, on the IDB forums, and on the Neo BD chats--you'd realize that this person's use of the pop-up isn't urban myth.

Perhaps we should define pop-up box. I was under the impression this meant a new window, much like the advertisements many people get. This could also mean, I suppose, an alert box, such as "Are you sure you want to buy this item?". Do you know which one they are talking about?

But, that is far different from a pop-up box, no??

I was on Neopets at that time, but not on PinkPT. At that time, I was busy researching the exploit I told y'all about above.

That said, in my mind, all of that is still hearsay. Have you ever heard of Mass Hysteria? I can imagine a scenario where one person sees a pop-up box, and subsequently loses access to their account. This person posts this scenario, and suddenly everybody is worried about it. More people come out to support this with their own stories. I'm not saying people are lieing, however they may either be imagining it, or it could've been entirely un-related.

Remember the snipers in the washington area a couple years ago? All of the witnesses swore they were in a white van. When they were found, they were in a blue sedan. Now white van was ever found. The witnesses, because of what they heard in the media were tuned to look for, and remember a white van, even if one was not there. They were highly suggestable.

I don't see why the same thing could not have happened here.

The only reason I am in such doubt about this entire thing is because I really cannot think of a scenario where any script writer would need to make a new window.

Littlemac, it isn't hearsay. At all. When it first started happening in December last year, grey log in boxes popped up. The user went to the person's shop or userlookup and a grey log in box popped up. I know this for a fact because 3 people in my guild, and 2 other good friends who are really big BDers, got hit that way. And, none of them put any info in the grey log in box. Their cookies got grabbed as soon as the pop up box appeared. Then the nasty jerk who was doing this worked on refining his technique so it wasn't so obvious that a person was getting hit. And a few weeks later that's when I got hit. And many others that same night. It happened when they were on the shop wiz, clicked the link to the person's shop and were redirected to another page, a page that had a cookie grabber on it.

Perhaps the person who did this wasn't as great a script writer as you and therefore, could only think of doing it by creating a new window, and keeps refining his technique as time passes.

And, unless you have been hit by a CGer, please don't talk to me about mass hysteria. If you had gotten hit and lost everything you had, perhaps you would feel differently. And not just lost everything you had, but had your pets abandoned, your guild dismantled, and all of your neofriends wiped of your friends list. That happened to my two BDer friends. And to well known members of PPT. The ONLY reason why I didn't lose my account was because of the "mass hysteria" that had been occurring. If I hadn't read on the PPT forums and in the BD chats about others getting hit by the CGers that night, I wouldn't have been suspicious when I was directed to a fake front page. Which looked exactly the same as the real front page.

Obviously Neopets didn't think it to be mass hysteria either because they instituted the pin program shortly thereafter.

You might want to do a search of past PPT threads to see what those of us who were hit said happened to us. It first started in December 2006 and a search of the words cookie grabber should pull up a bunch of threads.

Okay... well... that's certainly not a good thing. -_-;; I always presumed that there would be some side effect (other than obvious loss of wealth, possesions or anything else for that matter) after you were 'Grabbed. So much for that theory - I'd better read up on Cookies more. Unless they're just completely illogical, I always thought that you needed a Cookie to be logged into a Site and when the Cookie was gone you therefore wouldn't be logged into a Site as it stored your information so if you revisited the page on another window you'd still be there. Bleurk. So much for that. -is another thing to put on todo list-

I remember visiting PPT Forums last December when the Cookie Grabbers were about - I was trying to look for any information on them as I was getting mixed responses from the Neoboards (as usual). And I do remember people mentioning when they got 'Grabbed a Pop-Up appeared for a brief moment. I also remember someone saying they were only on Neopets at the time when that happened so it couldn't have been any other site... can't remember whom though.

Oh well, went shopping yesterday and didn't spot anything out of the ordinary - but I did change my password straight after though. -ponders- I remember someone saying that when the Cookie Grabbers were on the Trading Post there was huge white gaps between the 'Wishlist' text and the bottom of the lot if there was a 'Grabber present, not to mention incomprehensible coding... not sure if that is a fully fledged sign or not anymore though.

TNT fixed the Trading Post error.There were never any cookie grabers there.

MagicalMystery, when I was grabbed in January, I was well aware what was happening. So, littlemac isn't correct in saying that they are no obvious symptoms of being grabbed. Sometimes there are. When it happened to me, I saw cheap neggs on the SSW in a trustworthy BDer's shop. I attempted to go to the shop and was instead redirected to a fake Neopets page. But, the person who was doing this wasn't that slick because there was an ever so slight pause before I was redirected to the page. The fake page had the CGer on it. I instantly knew that something was wrong because it didn't make sense that I was getting Neo's front page instead of the guy's shop. And, the guy's shop was frozen within minutes afterward. He was one of many big name BDers who got hit that night. And the nasty person was planting this coding in the shops of those accounts he had compromised.

And, at the time my cookies were grabbed, I didn't get logged out. I did change my password as fast as I could, however. This was done so if the nasty person had gotten into my account, he'd be logged out of my account the second the password was changed.

I think the best advice is to play safe. First, you should set pins on everything. That way even if someone gets into your account, there's not much they can take. Second, clear your cookies any time you go from one account to another. Third, keep a pulse on what is happening to other users. Regularly check the PPT forums, IDB forums, and BD and Avatar chat boards. The cookie grabber thing has been happening every few months for the past year and the minute someone has gotten compromised, there will be buzz here, on the IDB forum, and most definitely on the BD chat board. And if and when that happens, be extra cautious while playing. Don't go to unfamiliar user's lookups and shops. If some unknown person writes you or posts on a chat board, don't go to check out their user lookup--it could be a trap. Be careful shop wiz sniping. If you see a great deal, it could be a set up. Doesn't hurt to change you password after you swipe that negg for 10 nps. And, finally, if you are playing and something just doesn't seem right--such as being directed to Neo's log in or front page, or a pop up box comes up--change your password. I keep a pen and piece of paper next to me at all times. And any time that I feel uncomfortable, I change my password and write it down on that piece of paper.

And, some of you can call me paranoid. But, I have a whole heck of a lot to lose if someone did get my account or my galleries. Multi-millions in nps. And a whole lot more than that in items. I am very good friends with one of the biggest battlers in Neopia. He has been scared many a time too. And goes out of his way to be extra cautious. Ask any of the big battlers if they think they are being paranoid. Or, if after seeing so many of their friends lose everything they had worked for, maybe they are realizing that it pays to be extra cautious.

Could you give me the link to the IDB forums?I want to add it to my favourites so I can check there ever so often

Sure thing. You can find the IDB, in-depth battlepedia, at http://www.idb.finalhit.org/. You can view much of the forums without becoming a member; however, to see all of the forums, you need to become a member. You can find the forums here: http://forums.finalhit.org/index.php. It is a very safe, reputable site and inhabited by many knowledgeable BDers and many PPTers, as well.

Thanks!

Oh, I thought you guys said that they appeared than dissapeared quickly. If there was a log-in box, that does make sense, sort of, though it makes it completely obvious to most people that it is a bad page.

Y'see, to me this makes no sense. A page outside of Neopets cannot grab your cookies form Neopets, unless you have a VERY old browser, or if they install software on your computer. But honestly, if they can do that, I'd have bigger worries than my Neopets account.

To even get to that point, you'd have to be a somewhat decent script-writer. And then, you can write the code in 3 lines, literally. That's why I really see no need for a window, log-in box or not.
That's not mass hysteria. However, I doubt every CG scare this year has been entirely justified. The ones that aren't, in my mind, should be classified as mass hysteria. Especially when people are suspicious of things that honestly, they should not be.