Cookie Grabbers on Neopets =(

[devindemel]

To explain, I'm gonna quote an article that SunnyNeo just published:

"It appears that Neopets once again has cookie grabbers on the site. They are in user shops as well as on userlookups.

Some people have been pricing the items in their shop well below the average price, ensuring that plenty of people come to the shop, where the cookie grabber is located.

To keep your account secure, we advise you to do the following:

Activate a PIN, and place it on all available areas of the site. PIN numbers cannot be gained by a cookie grabber.

Place all items from your inventory into your Safety Deposit Box. You cannot place a PIN on your inventory, but you can place one on your Box.

Change your email, and do not validate the change. This will ensure that if your account is compromised, whoever gets in cannot change the email to which the account is assigned for 24 hours.

We also suggest that you withdraw all neopoints from your shop till, as they will be easy for someone wrongfully in your account to take, as the till does not have a PIN number assigned.

Also, it is recommended that you bank all neopoints, and then proceed to withdraw one neopoint from your bank fifteen times. This locks you out of your bank, only allowing you to deposit neopoints.

And last, but by no means least, you should make sure that your password is not easy to guess."


Posted by oobajooba on 1st of August 2008 at 10:05 PM NST

[fullbloom720]

This is definitely something to keep cautious about. Thanks for notifying us all, Devin.

[fairy_tale_girl64]

gosh lovely!!! thanks for the heads up~

[captvatng1]

Relax -- this is not anything new. These things surface periodically.

Having said that, here's a simplified technical explanation ...

A cookie is a small piece of data saved by your browser on behalf of Neopets.com. It saves your login information so you don't have to log in every time you want to do something on Neopets.com. A cookie grabber is any browser exploit on another website that allows an attacker to capture your browser cookies. Those cookies contain your login information, and can be used to log into your account from the attacker's computer.

The advice people in the forums give you is usually "delete your cookies!". That will not make any difference if you've already visited the site with the cookie-grabber. They already have your cookies (which contain your password and deleting them from your system will make absolutely no difference to the scammer, it will only require you to log in again. Once a cookie has been grabbed you need to change your password and e-mail. Deleting your cookies before you visit suspicious outside pages will help.

As long as you stay on the domain www.neopets.com, your account is safe. You know how userlookups and shops "break" with certain code? That's because Neopets is checking for scripts that do things like try and insert cookie grabbers. In order to have someone "steal" your cookies, you have to leave the neopets site and go to another. When you visit a shop, look up at the url and be sure it starts with 'www.neopets.com'.

If you have already gone to a site that you suspect might have a cookie grabber, then change your neopets password. There's no need to pat your head and rub your tummy, twirl around and withdraw 1 NP 15 times from the bank. Once you change your password and email address, the stolen cookie won't work and a request for replacement password won't be sent to the scammer.

Only visit sites you trust. Set your browser preferences to block pop-ups. Avoid using Explorer for a browser (it's the most prone to security leaks). Use security software like Symantec or ZoneAlarm. And be sure you have the most updated version of your browser.

If you really think the cookies have been grabbed, I'd be worried about any time you've logged into your online bank or paid a bill online, not neopoints.

[drewalot]

yeah thanks for the head up