In my many years of playing Neo I've never found any of my accounts hacked, even though I frequently visit user shops/petpages/etc. Still, if people say there's a real security issue, I'd like to take it into account.
What bugs me is that usually when CGs are mentioned it's in the form of mass hysteria, with people having no idea what's happening. I was hoping that some people on here would be able to shed some light on the issueHere are some questions I have:
1. How likely is CGing to happen on Neo at the moment (shops, lokups, petpages, boards)? I've seen a ton of cleared shop descriptions and "-blocked-" elements in the source, and it seems to me that with the current sensitive filtering it would be hard to pull off.
2. Would CGing on Neo require clicking a link, or is automatic CGing currently possible?
3. What are the most common indicators of a modern CG in a source code?
I'm sorry if there's an up-to-date guide to this somewhere, I was unable to find one, and thank you for any input you may have
Seems very unlikely,
Most of what i've ever read here says that kinda stuff is patched out. A lot of the "hacks" are from an old ass website breach that people never updated their info after, but its easier to blame cgers instead of their own stupidity.
Taking actives is frowned upon here so not likely anyone would share if there was one actively being used.
A lot of cleared shop descriptions had old crap the website would block now. I have run into shops with peoples usernames from messengers and stuff too so they could have been cleared for a lot of random stuff that isn't harmful at all. Dunno about the automatic thing, but there are people who know way more than I ever will.
1 unlikelyOriginally Posted by tiramisu
In my many years of playing Neo I've never found any of my accounts hacked, even though I frequently visit user shops/petpages/etc. Still, if people say there's a real security issue, I'd like to take it into account.
What bugs me is that usually when CGs are mentioned it's in the form of mass hysteria, with people having no idea what's happening. I was hoping that some people on here would be able to shed some light on the issue
1. How likely is CGing to happen on Neo at the moment (shops, lokups, petpages, boards)? I've seen a ton of cleared shop descriptions and "-blocked-" elements in the source, and it seems to me that with the current sensitive filtering it would be hard to pull off.
2. Would CGing on Neo require clicking a link, or is automatic CGing currently possible?
3. What are the most common indicators of a modern CG in a source code?
I'm sorry if there's an up-to-date guide to this somewhere, I was unable to find one, and thank you for any input you may have
2 automatically
3 javascript getting document.cookie
*squeak*
1. It's not likely to happen from within the site itself, on any page. The cleared shop descriptions nowadays are often just the word filter catching up with the latest slang for derogatory words, or the result of somebody having their shop reported for whatever reason. The Neopets server subjects all board, lookup, pet page and shop input type="text", select and textarea fields to a filtering routine which removes JavaScript. This prevents users from executing scripts which could hijack your cookies.
Unless someone has copied your cookies from your browser's local database, captured your traffic as you browse, or installed an extension or script-injector, then your cookies are safe.2. (you need an account to see links) by clicking a link would only be possible if that link could be manipulated to execute code through a JavaScript event. (you need an account to see links) for a user's personal information by tricking them into manually entering their username and password is often associated with clicking a link, which will cause you to navigate to a site that is often disguised to look like the login page of the site you came from. A user may mistake that page as genuine and provide their credentials, resulting in their username and password being stolen. 3. You'd want to look out for any code which is accessing the document.cookie object, then attempting to send that string off-site via an iframe request or postback, WebRTC, WebSocket or XMLHttpRequest. UserScripts can also use GM.xmlHttpRequest or GM_xmlhttpRequest to send data as well.
The trouble with detecting when code is stealing cookies is that a smart developer will (you need an account to see links) their code, which makes it difficult to decipher what it's doing. Furthermore, almost all of the methods mentioned above are used on the Neopets site in some capacity, either by the site itself, or the advertiser content you see as you browse. Attempting to manually identify the good from the bad will be a tedious task.
People like to blame �CG� when they don�t understand what�s going on or fear losing something.
The PC yells our CGer like Trump yells out �fake news�.
I don�t think CGing has been a thing on neopets for years, but people still like to call it out.
Brickhaus (06-24-2019),Cinnamoroll (06-23-2019),Delibird (06-23-2019),♥ PrettySarcastic ♥ (06-23-2019),Sakuras (06-23-2019),Sugar Rush (06-23-2019),Woodpecker (08-21-2019)
During the last CG i was aware of the telltale sign was on pet lookups, the pet flash image box appreared on the lookups twice. thats all i really know about them lol
custom userbars by @lyrichord (argyle) and @charmander (guilmon ryu)! thank you so much!
I got both of my old accounts grabbed, but oddly enough, doesn't seem like they took anything. They fucked with my emails a bit though. It wasn't any thing super malicious or active, I just hadn't played in years and didn't change passwords after the breach.
*squeak*
Having your cookies "grabbed" isn't a generalized term for having an account stolen. It's a specific technique used wherein the target's Neopets cookies are copied from their browser in order to be used by someone else. It allows the person who "grabbed" the cookies to use the victim's account without having to log in for a time. The breach was simply a mass harvesting of Neopets user credentials. Nothing as nefarious as target cookie grabbing.
Got it. Sometimes the terminology here is a bit hard for me to grasp, since some of it is NP related and then some of it is programming or coding related.
How do people even manage to grab cookies from others?
*squeak*
I described how cookies can are grabbed (you need an account to see links), in answer 1 to the thread owner's question.
Delibird (06-23-2019)
Posting Permissions
