« January »
Jan 3 - Aisha Day
Jan 6 - Gnorbu Day
Jan 11 - Buzz Day
Jan 14 - Sloth Day
Jan 16 - Elephante Day
Jan 29 - Kacheek Day

Altador Cup XVII
It's Jordle... with Jordie! Can you guess today's word?
Try on all the latest Neopian fashions!
Every editorial question answered just a search away!
A searchable database of Neopets images
Your jnAccount! Your jnAccount: Log In or Register | New to Jellyneo? Click here!

Welcome to Jellyneo.net!

Welcome to Jellyneo, the #1 ad-free Neopets help site! We offer news and tips for the popular online game Neopets. Here's what you can find on the site:

You can also register a jnAccount; it's free and lets you access special features! (Find out more!)

Pick your news: Neopets News Jellyneo's Twitter | Crossword | JN Updates | Daily Puzzle | Altador Cup

Neomail Cookie Grabbers
  • Posted by Dave
  • Posted on November 3, 2010, 5:11 pm NST

We've received a couple reports about cookie grabbers making their way into Neomails. Before you panic, visit the Neopets Preferences page and tick off the "Plain text Neomail" option. This will block any risky Neomails from getting through to you and strip out anything harmful.

I'd also like to take this time to educate everyone on cookie grabbers and how they work! I posted this as a comment over at the wonderful Neopian Adults LiveJournal community, and I figured it'd be a good thing to post on the front page of JN as well. My explanation of cookie grabbers...

All "cookie grabbers" work on the same fundamental principle that aithyne mentioned: duplicating the string of information that your Neopets cookie contains and then using that information to login to your account.

A cookie is a file on your computer that your browser manages. It holds a string of information that a web server wants to remember about you later on. (For those who don't know, a "string" is a bunch of characters mashed together. They can be sentences, words, or whatever else you can think of typing with your keyboard.) Cookies are NOT the same as telling your browser to "save" or "remember" the password for when you login to websites. Those passwords are kept locked up safely by your browser and are not available to things like Javascript, which is what CGers are generally execute in.

Sessions are a way for web servers to know that it is you each time you load a page without you having to login every time you load a page on that website. A unique session ID is generated each time someone logs in to Neopets, and then that ID is associated with that user until they decide to log out (or when the server lets the session expire, which usually doesn't happen on Neopets).

In terms of Neopets, your Neopets cookie holds your username and your session ID, which corresponds to your logged in status on the Neopets web servers. Every time you load a Neopets webpage, your browser sends your Neopets cookie file to the Neopets server which processes it and decides to do something based on your cookies (e.g. when you visit neopets.com/bank.phtml, if you're logged in, your bank account will appear, but if not the server will make you login).

Once a hacker steals your cookies, they basically have a key into your account. They don't need to know your password; they simply need to substitute your cookie string into their own cookie to gain access since the server will now think that the scammer's computer is actually your computer. (Unless there's some fancy dehashing algorithm CGers have... I don't think they can actually get a password from your cookie.)

Now, knowing what cookies and sessions are and how they work on Neopets, the next thing to discuss is how to defend against cookie theft. In theory, all you need to do is log out of your account to kill the session ID on the Neopets server. That would, again in theory, log out the scammer and make your stolen cookie worthless. (Since like I mentioned before, once you log back in, you'll get a *new* session ID which the hacker would need to steal all over again... and hopefully you're savvy enough to avoid the trap a second time!) However, it may also be a good idea to change your password since the hacker could also obtain your password by changing your email to their own and making a lost password request.

I think that should answer a lot of misconceptions about cookies and how CGers work. I'm definitely not an expert on writing CGers seeing as I have no interest in them, but I do know that they exploit some basic principles of the HTTP protocol and how your browsers interact with web servers. If anyone has any questions on how they work, I'd be happy to see if I can answer them. I think it's a lot better if Neopia knows exactly what's happening on the technical side so they can act quickly to prevent account loss if possible. (And of course, the less paranoid the Neopian public is, the less misinformation and rumors that get passed around to scare people with false information.)
With all of that in mind, I also highly recommend reading our Neopets Account Safety guide by Illy to brush up on how to keep yourself safe. Remember: always apply a PIN to your account, and don't visit any fishy links you come across! If you think you're a cookie grabber victim, quickly change your password and then log out of your account to prevent any losses.

If you have any questions about account safety, please post away in our news comments! The more educated Neopia is, the better.
Follow @jellyneo on Twitter for all the latest #Neopets news!

There are 64 comments below. Add yours!

doodledoodledragon, November 3, 2010 5:25 PM NST
Thanks for the tips!
scep, November 3, 2010 5:26 PM NST
Very useful, thanks for posting. Just switched to plain text Neomail, and honestly I wouldn't even have heard about this otherwise. Thanks! :^)
mrmilkshakeman, November 3, 2010 5:33 PM NST
i just did it! thanks.
dacio, November 3, 2010 5:41 PM NST
dreww355, November 3, 2010 5:47 PM NST
Thanks for the very thorough explanation of what a CGer does. I always wondered what they did exactly to gain access to an account. In my mind, the moral of the story is LOG OUT of your account (and then change your password, but make sure to log out as soon as you think you fell into a CGer trap).
birdlover4749, November 3, 2010 5:52 PM NST
Thanks for the heads up ^^
weapon_hunter, November 3, 2010 5:54 PM NST
Thanks. Liked the explanation.
redherochild, November 3, 2010 5:56 PM NST
Apple Bobbing is back, in Neovia! Here's what I got:

"You dip your head into the apple barrell, gripping your prize firmly in your teeth. Upon emerging proudly with your prize, you are horrified to see that it's... someone's dentures?! You flail around in disgusted horror until you hit the fence and tumble headfirst over it. Ouch."
djhanky222, November 3, 2010 6:02 PM NST
Great work *Dave?*
That was actually rather enlightening

Never bothered with pins might do that now
roddy1999, November 3, 2010 6:05 PM NST
This is stupid, I doubt that there is a CG in the actual neomail. People telling you they were prpbably clicked a link or visited the look up.
roddy1999, November 3, 2010 6:08 PM NST
Most of what this said isn't what I though CGs were.
Logging out and logging in takes lomg than changing you p/w whick would log the CGer out too.
roddy1999, November 3, 2010 6:11 PM NST
And a neomail won't allow enough space to put a CG in, and if it did TNT could block it and it would be very hard to make one fit in the small space.
kelsyjones, November 3, 2010 6:13 PM NST
Maybe you don't know as much about CGs as you think you do? Write your own guide if you know so much.
roddy1999, November 3, 2010 6:15 PM NST
I'll do that.
dave - JN Staff, November 3, 2010 6:15 PM NST
@roddy1999: The people who are attacking Neomails are exploiting the WYSIWYG editor that Neopets provides to allow for color changes, different font sizes, etc. in Neomails. It's likely some sort of glitch in that system that is allowing the CGers through. If you have any other information to provide besides declaring it stupid, by all means please let us know.
roddy1999, November 3, 2010 6:17 PM NST
Does anyone even have any proof that someone was CG through neomail?
roddy1999, November 3, 2010 6:20 PM NST
Or did the charter board say something and everyone believe them?
dave - JN Staff, November 3, 2010 6:27 PM NST
Mhmm, someone from the Battledome Chat posted about it and multiple others confirmed the same example of what happened to them.
scep, November 3, 2010 6:29 PM NST
[Removed for harassment]
bunnyboo, November 3, 2010 6:29 PM NST
i think people who try to hack into people account should bout on there busniess its our accout of course what if it doesnt have anything even falueable i mean really ??? -sigh- hacking people these days wat can we say??
rosi, November 3, 2010 6:31 PM NST
Thanks for the heads up. I've actually always used the Plain text neomail format, and recently switched to the 'only Neofriends can contact you' option.
holothurion, November 3, 2010 6:32 PM NST
By the way, the Bank has gotten a very little update. I asume it has already been noted by the majority, but it was still worth the mention.
linkey11, November 3, 2010 6:51 PM NST
Wow, personally I liked the old bank better...
linkey11, November 3, 2010 6:52 PM NST
But at least it's a change.
kelsyjones, November 3, 2010 6:56 PM NST
Hm, the new bank Skeith looks kind of creepy.
blklightpixie26, November 3, 2010 6:58 PM NST
I still can't figure out what someone would want with someone elses account. My wasn't all that great and they took it.
nynex - JN Staff, November 3, 2010 7:04 PM NST
real money
heaveaway05, November 3, 2010 7:11 PM NST
by the way did any 2Pers find it strange that Magenorb in that Halloween Thade Quest in the Haunted Faire?

And tnt needs to stop posting pngs in the news without keeping them from being 1 pixel height and width...
dave - JN Staff, November 3, 2010 7:20 PM NST
@blklightpixie26: They steal all of the Neopoints and valuable items, then sell them for real life currency on illegal blackmarket Neopoint sites. (So if anyone ever considers purchasing Neopoints (1) it's against the rules no matter what, and (2) it's just Neopoints that were stolen off of some poor person who got targeted.)
peper_topaz, November 3, 2010 7:29 PM NST
Is there a way to know right away if a CGer has taken your cookie?
kellcrow, November 3, 2010 7:49 PM NST
Yep; I remember that LJ post. It was a great post. :nods supportively:
It is also a really good idea to never repeat passwords; like, keep your Neopets word different from your JN word, and your email word, your word, Live Journal, etc.
I'm paranoid enough to have different words on each side account, and each of my email accounts that relate to Neopets... Because heavens forbid that any nasty wrongdoer should try to CG from those support sites, but technically it is possible.
lombre, November 3, 2010 9:12 PM NST
So, does ticking "Plain text neomails" just remove the special codes like CGs, and, to a more normal extent, italics, from neomails you receive, or does it block neomails with those things in them all together? A friend of mine tends to use things like italics a lot in her messages, so I wanna make sure it won't just block any neomails I get from her with those in it.
nynex - JN Staff, November 3, 2010 9:14 PM NST
plain text is plain text. It won't block the neomails. You will still receive all neomails sent to you, they will only appear as plain text though.
birdlover4749, November 3, 2010 10:58 PM NST
*checks out bank* He does look scary ;o;
kic24, November 4, 2010 12:21 AM NST
There will be a new contest!!! If you go to the dutch news page of neopets, you'll see there that the Hannah and the kreludor caves game makers competition just began (this isn't true though, cause you'll get an error when coming on this page), but it will be propably released shortly
faith_starr, November 4, 2010 1:47 AM NST
Thanks for the heads up.

Just saying though, when you get CG'ed you're supposed to log out first, then log in again and change your password. Because when you log out, the scammer will be logged out automatically too.
cat, November 4, 2010 1:50 AM NST
Oh joy, more CGs. I think some people had mentioned getting CGs in Neomails a few months ago too, that's when I changed my Neomail settings to plain text. I'd hoped TNT took care of whatever exploit was letting them through, but I guess not.

As far as buying NP is concerned there are three basic reasons not to do it:
1) It's against the rules and you'll get frozen if you get caught.
2) There are three ways to generate neopoints: Stealing someone else's account and stealing all their neopoints; using a cheat program to get Gold trophies at games,thereby robbing someone whose actually playing the game of the ability to get a trophy; and paying kids in 3rd world countries $1 per hour to grind out neopoints (well, not always kids, but you get the idea). So no matter where your bought neopoints come from chances are you hurt someone (unless you argue that if some 3rd world gold generating operation didn't employ people they might have a worse job or no job at all, fair enough).
3) No gamer worth their salt will do anything but snear at you for buying game currency. No one will feel the least bit sorry for you when you get frozen. Think of it like stealing candy from a baby: sure it's profitable and easy, but no one will look kindly on what you did.

For buying items the principal sources are either stolen accounts or autobuyers. To get a really top notch pet though it's easiest to hack someone's account.
alessia, November 4, 2010 2:08 AM NST
The plain text neomail option only works on the full email. It doesn't work on the preview you receive before read the full email. In fact I have the plain text option on but in the preview I can still see the link linked and not as normal text (that maybe you have to copy and put in the address bar... I hope to give you the idea of what I'm saying...)
narcissa, November 4, 2010 2:50 AM NST
I was CG in neo a couple of month ago in a way I had never heard before. I sent a ticket to TNT but no one believe me. I am 100% sure of what has happened but I have no proof. If you from JN want to hear about it, I can tell but I'd like my usersame to be removed.
narcissa, November 4, 2010 3:10 AM NST
I am kind of ashamed to ask, but English is not my native language and I am afraid I might have misunderstood JN instruction.

“Plain Text Neomail - Check this box if you DO NOT WANT to send or receive Advanced Neomails”

I have to keep this option checked/ticked or unchecked/”unticked”?
torratz - JN Staff, November 4, 2010 4:25 AM NST
@narcissa Keep that box checked - it means all your neomails will be plain text. Don't be ashamed to ask - if we never asked questions, we would never learn anything

@alessia I think you're confusing neomails with emails - the neomail system doesn't have a preview option.
narcissa, November 4, 2010 5:06 AM NST
@ torratz - thank you! I am afraid I am a bit of paranoid lately
matchu, November 4, 2010 5:36 AM NST
I'm not sure that the last paragraph here is strictly true. It's not a matter of abusing the HTTP protocol at all; it's simply cross-site scripting attacks. Essentially, if a web page somehow allows raw HTML to be written to a web page, then a malicious user can include a bit of . Scripts are allowed to access cookies from the same domain name, and only the same domain name. As such, if a user can include on a Neopets.com page, then it can access the Neopets.com cookies, and silently send those cookies to an evil place to be stored. It has everything to do with vulnerabilities in individual sites, and nothing to do with the HTTP protocol, especially since the attack itself, once implemented, takes place entirely in the browser. It's not like any site is vulnerable and someone was just mean enough to actually do it; it reflects a single, specific security flaw on Neopets.com.
matchu, November 4, 2010 5:37 AM NST
...that one web technology, that is the word "java" and the word "script" combined, was yoinked out of the above comment a few times. If it looks like a word is missing, fill that word in
ruse, November 4, 2010 5:38 AM NST
Thanks for the warning! Plain text for me from now on.
alessia, November 4, 2010 7:58 AM NST
@torratz - the neomails have the preview option!!! You see the preview when you open your events log page before opening and reading the FULL neomail.... =___=
fantasygirl23, November 4, 2010 8:39 AM NST
Tnx, for the warning.
Is is useful to log out each time when you stop play with neopets?.
nikrock444, November 4, 2010 9:03 AM NST
Thank you for the heads up. I'm always paranoid that I'm going to be hacked or CG'd one of these days.
estherskyfire101, November 4, 2010 9:17 AM NST
@fantasygirl23 i think that NO beacause one day they hacked me when i logout and its better stay than logout
wandering_grapefruit, November 4, 2010 9:53 AM NST
@fantasygirl23, as far as I know, the safest thing to do is log out every time. Someone could grab your cookie but not be at the computer (they don't actually need to be there) so if you log out before they can use that Login ID thingee then you foiled their evil plans. Probably a lot of people who get CGed just don't logout.

I could be wrong though, as I am no expert
nynex - JN Staff, November 4, 2010 11:11 AM NST
@estherskyfire - I guess you didn't read the post
ronindh, November 4, 2010 11:19 AM NST
I remember a time when TNT said that CG's did NOT exist and were not possible on their site. Clearly they were wrong. One of the biggest issues that Neopets has is the continued use of Jabbascripts (Yes I spelled it wrong on purpose). Jabbascripts are the bane of existence for anyone who works in the Software Security/IT field for SO many different reasons. It's all too easy to embed a Virus or Trojan into a Jabbascript. As someone who actually works in IT/Software Security, I can tell you now that CG's do in fact exist on various sites, and are not just limited to Neopets. One of the MAIN culprits is FAILbook (It's actually FACE, but you get the idea). Your best bet? Avoid sites like FAILbook, and remember to sign out of your Neopets account if you're going to be away from the comp for more than 30 minutes. It may be a slight hassle to have to sign back in, but clearly nowhere near the hassle of losing everything you worked so hard for all over again.
dacio, November 4, 2010 12:03 PM NST
OT, but there are more opponents!!!

Sorry, there are no more Shadow Ghoul Chaos left in Neopia!

Try challenging another opponent.

The link WAS:


After a few minutes when the link was posted, it seems that the name of the moster does not appear there anymore... the topic:

dacio, November 4, 2010 12:06 PM NST
Oops! This topic does not exist! Bummer, eh?

TNT, YOU!!! D=

Ask herdy, he was in the topic too It's truth

Too much OT
herdy - JN Staff, November 4, 2010 12:08 PM NST
Yep, I saw it, don't worry. Sneaky TNT - leaks are good not bad!
rodgerflint, November 4, 2010 12:37 PM NST
Haha, looks like rsing that GoCo yesterday was indeed a good idea. And now that there's a daily that gives a disease and no healing springs, the three items that cure it might inflate a bit
nynex - JN Staff, November 4, 2010 12:43 PM NST
yeah, they seem to forget that leaks spark excitement and get people hyped up
y2j_fanatic, November 5, 2010 12:17 AM NST
Woah! I'd always went by what the Help Boards on Neopets said that cookies steal your password and most recently all passwords you have saved on your computer ...but the concept of changing your password and logging out is still a good idea. I do wonder though, if all you're doing is changing your password...can't the person still submit a lost password request since you're not checking if the email is still your email?
y2j_fanatic, November 5, 2010 12:35 AM NST
The only problem I have with using plain text Neomails is that if someone sends you just a smiley face (emoticon, whatever) that it'll show up as a blank Neomail...I used to use only plain text but someone explained to me that was why I was recieving blank Neomails...I've got everything in my account pin protected though which I know is a good thing. I just wish they'd put pins on trades & auctions. I guess I could go back to just talking to my Neofriends and switch on the only Neofriends can contact...once I've finished my trading in a few days. That should solve the Neomail CG on my part. But for reference matters, do I need to log out, log in, and change password or do I change password, log out, and then log in.
hon3ysmil3z, November 5, 2010 3:10 AM NST
This is why I don't really go on Neopets anymore... Plus not even having time to be on it!
narcissa, November 5, 2010 7:13 AM NST
Here I am again. I have another doubt. It if receive e NM with a CG in it, or visit a lookup with one, but I don’t click in anything, I just see the neomail/lookup, is there any danger?
nynex - JN Staff, November 5, 2010 8:40 AM NST
the help boards are not always correct They do help to spread mass hysteria though.
popcornbuzz, November 5, 2010 1:44 PM NST
A very good explanation! Do I understand this correctly: A Cookie Grabber is simply a link in a neomail or is it also on shops and lookups?
alessia, November 6, 2010 9:37 AM NST
it can be put in every customizable page (shops, gallery, petpages, user lookup, pet lookup....)

Add Your Comment

Want to add your thoughts? You just need to log into your jnAccount!

Log In Your jnAccount Register a jnAccount Your jnAccount

Jellyneo on Twitter
Get JN updates via Twitter!
Jellyneo on YouTube
Find our latest gaming videos on YouTube!
Old Neopets News
Looking for older Neopets news?