Currently a load of people have one, a load more want one, and some of us don’t particularly want them to have our cookies.
If you don’t want to read the background information or babble and just want to install what’s needed, go right down to the bottom of this post. It’s in red.
If you want to know what a cookie grabber is then use google because you can find some pretty good explanations on it to be honest. Here’s just an explanation to somewhat defend against them.
There are two main ways people are grabbing cookies on neopets at the moment,
The Coding Error
This normally takes the form of
The SWF clicktag
Basically a load of neopets.com flash files send you to another page when you click on them, and being who they are they have let the destination be set via the URL.
These normally take the form of
These can’t really be embedded in pages for new browsers, and IE7 doesn’t let them work properly if you’re directly sent to one.
1. Don’t go to any offsite links from neopets.
It’s true, but honestly I still go on a load of offsite links. And the thing is, anybody who knows you go on neopets can send you a link over msn with an embedded cookie grabber on. Being paranoid and logging out of neopets before you go to any other site, well I couldn’t be arsed with it.
2. Install NoScript for FireFox
This again works but I normally end up turning NoScript off because the alerts annoy the hell out of me, having to enable every site I visit does get very tedious and it makes me just click yes to everything.
If you want to be in serious control of what scripts can run and which can’t then this is for you, but for most people it’s just extra unneeded micromanagement. Also although it has built in XSS (Cookie grabber’s use this technique) protection, it also interferes with a lot of stuff.
3. My AdBlock list for FireFox to stop CookieGrabbers.
If you don’t have AdBlock, then basically it blocks all the adverts in the internet (Yay!) and what not. If you love adverts, you can opt to install but when it asks you to subscribe to a list just say no and cancel.
This is pretty painless in terms of affecting your browsing, You need to save this list, and import it into AdBlock.
What’s inside the txt file :
4. XSS guardian
As mentioned in the explanation there are some Flash(.SWF) based cookie grabbers, and some other ones where you’re directly sent to the page. Adblock won’t stop this because it’s a direct request, so here we have another extension!
This basically does the same thing as adblock but on direct URLS, it’ll scan the URL for common XSS vulnerabilities.
This pops up when it’s blocked something:
There are a few download URL’s for this one.
1. Original URL from firefox addons uploaded since it’s currently in the sandbox testing area on mozilla.org
2. Edited to work with FireFox 3
3. Edited to work with FireFox 3 and not add another stupid icon to your statusbar (You’ll have to enable and disable it in the addons sections of firefox)
These XPI files will download to your default download location, and then you have to drag them into an open firefox window.
Don’t become apathetic, these aren’t foolproof and if you still get CG’d don’t come to beat me up
If these measures didn’t protect you and you got cookie grabbed, then this is what the person who’s got your cookie is going to do.
1. Use your cookies and neopets.com thinks they’re you, so they basically are logged into your account. However they don’t know your password or PIN number, so they can’t change the email or preferences. And if you PIN everything you should be fine.
2. Try and decrypt your cookies
Sadly Neopets have decided that security isn’t needed and have used a simple md5 hash on your password and stored it in your cookies.
There’s a nice part of the cookie that looks like
The bit in red, is an md5 hash of your password 😮
They can slap it in http://gdataonline.com/seekhash.php and try and decrypt it.
You know how you beat this?
Use basic password rules,use a long word as your password or use multiple numbers + punctuation marks.
If your password is “golf123” make your password “golf123golf123” it’ll make the hashed value very different, and long passwords won’t be on the databases websites like that one mentioned.
And although that was long, hopefully it was informative.
If it was just annoyingly long, say because I might write a couple more guides and I don’t want to be a bore.
——-Short and sweet—-
Adblock Filter list:
If you don’t have AdBlock install it here, it’s an advert blocking FireFox Addon https://addons.mozilla.org/en-US/firefox/addon/1865
Import following txt file into Adblock via (Tools -> preferences -> import list)
Another FireFox extension,
Original Install File : http://www.mediafire.com/?21341zgxgyq
FireFox 3 compatible Install File : http://www.mediafire.com/?m19fm0u0pne
Firefox 3 compatible without Status Bar Image File : http://www.mediafire.com/?zw3nyycmmz0
Filters out direct cookie grabbers.
!!!!:These XPI files will download to your default download location, and then you have to drag them into an open firefox window.
Don’t go to offsite websiteswhen logged in on neopets:
A bit restricting.
Follow good passswords rules: