« January »
January
Jan 3 - Aisha Day
Jan 6 - Gnorbu Day
Jan 11 - Buzz Day
Jan 14 - Sloth Day
Jan 16 - Elephante Day
Jan 29 - Kacheek Day


It's Jordle... with Jordie! Can you guess today's word?
Try on all the latest Neopian fashions!
Earn NP from playing games!
Discover the characters of Neopia in our Book of Ages!
Your jnAccount! Your jnAccount: Log In or Register | New to Jellyneo? Click here!

Welcome to Jellyneo.net!

Welcome to Jellyneo, the #1 ad-free Neopets help site! We offer news and tips for the popular online game Neopets. Here's what you can find on the site:

You can also register a jnAccount; it's free and lets you access special features! (Find out more!)

Pick your news: Neopets News | Crossword | JN Updates | Daily Puzzle

Dave
Neomail Cookie Grabbers
  • Posted by Dave
  • Posted on November 3, 2010, 5:11 pm NST

We've received a couple reports about cookie grabbers making their way into Neomails. Before you panic, visit the Neopets Preferences page and tick off the "Plain text Neomail" option. This will block any risky Neomails from getting through to you and strip out anything harmful.

I'd also like to take this time to educate everyone on cookie grabbers and how they work! I posted this as a comment over at the wonderful Neopian Adults LiveJournal community, and I figured it'd be a good thing to post on the front page of JN as well. My explanation of cookie grabbers...

All "cookie grabbers" work on the same fundamental principle that aithyne mentioned: duplicating the string of information that your Neopets cookie contains and then using that information to login to your account.

A cookie is a file on your computer that your browser manages. It holds a string of information that a web server wants to remember about you later on. (For those who don't know, a "string" is a bunch of characters mashed together. They can be sentences, words, or whatever else you can think of typing with your keyboard.) Cookies are NOT the same as telling your browser to "save" or "remember" the password for when you login to websites. Those passwords are kept locked up safely by your browser and are not available to things like Javascript, which is what CGers are generally execute in.

Sessions are a way for web servers to know that it is you each time you load a page without you having to login every time you load a page on that website. A unique session ID is generated each time someone logs in to Neopets, and then that ID is associated with that user until they decide to log out (or when the server lets the session expire, which usually doesn't happen on Neopets).

In terms of Neopets, your Neopets cookie holds your username and your session ID, which corresponds to your logged in status on the Neopets web servers. Every time you load a Neopets webpage, your browser sends your Neopets cookie file to the Neopets server which processes it and decides to do something based on your cookies (e.g. when you visit neopets.com/bank.phtml, if you're logged in, your bank account will appear, but if not the server will make you login).

Once a hacker steals your cookies, they basically have a key into your account. They don't need to know your password; they simply need to substitute your cookie string into their own cookie to gain access since the server will now think that the scammer's computer is actually your computer. (Unless there's some fancy dehashing algorithm CGers have... I don't think they can actually get a password from your cookie.)

Now, knowing what cookies and sessions are and how they work on Neopets, the next thing to discuss is how to defend against cookie theft. In theory, all you need to do is log out of your account to kill the session ID on the Neopets server. That would, again in theory, log out the scammer and make your stolen cookie worthless. (Since like I mentioned before, once you log back in, you'll get a *new* session ID which the hacker would need to steal all over again... and hopefully you're savvy enough to avoid the trap a second time!) However, it may also be a good idea to change your password since the hacker could also obtain your password by changing your email to their own and making a lost password request.

I think that should answer a lot of misconceptions about cookies and how CGers work. I'm definitely not an expert on writing CGers seeing as I have no interest in them, but I do know that they exploit some basic principles of the HTTP protocol and how your browsers interact with web servers. If anyone has any questions on how they work, I'd be happy to see if I can answer them. I think it's a lot better if Neopia knows exactly what's happening on the technical side so they can act quickly to prevent account loss if possible. (And of course, the less paranoid the Neopian public is, the less misinformation and rumors that get passed around to scare people with false information.)
With all of that in mind, I also highly recommend reading our Neopets Account Safety guide by Illy to brush up on how to keep yourself safe. Remember: always apply a PIN to your account, and don't visit any fishy links you come across! If you think you're a cookie grabber victim, quickly change your password and then log out of your account to prevent any losses.

If you have any questions about account safety, please post away in our news comments! The more educated Neopia is, the better.
Follow @jellyneo on Twitter for all the latest #Neopets news!
Jellyneo on YouTube
Find our latest gaming videos on YouTube!
Old Neopets News
Looking for older Neopets news?