Welcome to Jellyneo.net!
Welcome to Jellyneo, the #1 ad-free Neopets help site! We offer news and tips for the popular online game Neopets. Here's what you can find on the site:
For Neopets Players, New and Old: | |
Helpful Articles Game Guides Item Database Wearable Previews Customization Wardrobe | Book of Ages Avatar Solutions Dr. Sloth's Neopets Image DB in-Depth Battlepedia |
... and more! |
You can also register a jnAccount; it's free and lets you access special features! (Find out more!)
Pick your news: Neopets News | Crossword | JN Updates | Daily Puzzle
Neomail Cookie Grabbers
- Posted by Dave
- Posted on November 3, 2010, 5:11 pm NST
We've received a couple reports about cookie grabbers making their way into Neomails. Before you panic, visit the Neopets Preferences page and tick off the "Plain text Neomail" option. This will block any risky Neomails from getting through to you and strip out anything harmful.
I'd also like to take this time to educate everyone on cookie grabbers and how they work! I posted this as a comment over at the wonderful Neopian Adults LiveJournal community, and I figured it'd be a good thing to post on the front page of JN as well. My explanation of cookie grabbers...
If you have any questions about account safety, please post away in our news comments! The more educated Neopia is, the better.
I'd also like to take this time to educate everyone on cookie grabbers and how they work! I posted this as a comment over at the wonderful Neopian Adults LiveJournal community, and I figured it'd be a good thing to post on the front page of JN as well. My explanation of cookie grabbers...
All "cookie grabbers" work on the same fundamental principle that aithyne mentioned: duplicating the string of information that your Neopets cookie contains and then using that information to login to your account.With all of that in mind, I also highly recommend reading our Neopets Account Safety guide by Illy to brush up on how to keep yourself safe. Remember: always apply a PIN to your account, and don't visit any fishy links you come across! If you think you're a cookie grabber victim, quickly change your password and then log out of your account to prevent any losses.
A cookie is a file on your computer that your browser manages. It holds a string of information that a web server wants to remember about you later on. (For those who don't know, a "string" is a bunch of characters mashed together. They can be sentences, words, or whatever else you can think of typing with your keyboard.) Cookies are NOT the same as telling your browser to "save" or "remember" the password for when you login to websites. Those passwords are kept locked up safely by your browser and are not available to things like Javascript, which is what CGers are generally execute in.
Sessions are a way for web servers to know that it is you each time you load a page without you having to login every time you load a page on that website. A unique session ID is generated each time someone logs in to Neopets, and then that ID is associated with that user until they decide to log out (or when the server lets the session expire, which usually doesn't happen on Neopets).
In terms of Neopets, your Neopets cookie holds your username and your session ID, which corresponds to your logged in status on the Neopets web servers. Every time you load a Neopets webpage, your browser sends your Neopets cookie file to the Neopets server which processes it and decides to do something based on your cookies (e.g. when you visit neopets.com/bank.phtml, if you're logged in, your bank account will appear, but if not the server will make you login).
Once a hacker steals your cookies, they basically have a key into your account. They don't need to know your password; they simply need to substitute your cookie string into their own cookie to gain access since the server will now think that the scammer's computer is actually your computer. (Unless there's some fancy dehashing algorithm CGers have... I don't think they can actually get a password from your cookie.)
Now, knowing what cookies and sessions are and how they work on Neopets, the next thing to discuss is how to defend against cookie theft. In theory, all you need to do is log out of your account to kill the session ID on the Neopets server. That would, again in theory, log out the scammer and make your stolen cookie worthless. (Since like I mentioned before, once you log back in, you'll get a *new* session ID which the hacker would need to steal all over again... and hopefully you're savvy enough to avoid the trap a second time!) However, it may also be a good idea to change your password since the hacker could also obtain your password by changing your email to their own and making a lost password request.
I think that should answer a lot of misconceptions about cookies and how CGers work. I'm definitely not an expert on writing CGers seeing as I have no interest in them, but I do know that they exploit some basic principles of the HTTP protocol and how your browsers interact with web servers. If anyone has any questions on how they work, I'd be happy to see if I can answer them. I think it's a lot better if Neopia knows exactly what's happening on the technical side so they can act quickly to prevent account loss if possible. (And of course, the less paranoid the Neopian public is, the less misinformation and rumors that get passed around to scare people with false information.)
If you have any questions about account safety, please post away in our news comments! The more educated Neopia is, the better.
Make a comment!
Find our latest gaming videos on YouTube! |
Looking for older Neopets news? |