Does anyone know anything about habbostyles.com?

No idea what it is, why?

No idea what it is, why?

Someone came in my room said it is a new rare values site in au, I went on it, then he asks if I prefer logging in with habbo id or username.

Think I might have fallen for a trick.

DO NOT GO ON THE SITE I think its session stealer so they can hack you. Make sure you log in with email i think that was safe way. NOT your hab name.

DO NOT GO ON THE SITE I think its session stealer so they can hack you. Make sure you log in with email i think that was safe way. NOT your hab name.

If it's asking for Habbo ID - you should avoid it at all costs even if it does offer an alternative login. DO NOT LOG IN WITH YOUR EMAIL as this is equally dangerous, they will probably use it to at least try to access your Habbo Account.

Ironic, isn't it? The security check is vulnerable to Cross Site Scripting.

It appears to try sanitise the URL, thus <script></script> tags are useless here, but alas, tags are not necessary to steal a session cookie via this URL.

An XSS hole for Habbo Hotel has not been in the public domain for a long while, so this is our gift to you. It will not last so make the most of it while you can.

If you are not aware, you do not need a user's Habbo name or password to get on their account if you have their session cookie. You can log into your account, sit on homepage, use Firefox's "Add n' Edit Cookies" add-on to set their JSESSIONID as your JSESSIONID, and then all that is required is a page refresh in Habbo Homes to be logged into their account.

A full tutorial on how to steal another Habbo's session (and use it yourself) using the security_check XSS exploit has been compiled for you. For learning purposes only, of course ;]

IMPORTANT: Safari 4 and IE8 with XSS filtering enabled are immune.
Perhaps others also. Test alternative browsers and comment.
Also, this will only work on users who logged in using their name and not email. (thanks Loget)

So email is safe i am 99% sure. So basically for the next while don't go on any sites that you have never been on or simply look weird.
BTW IM NOT ADVERTISING HACKING
Just showing prevention etc

I haven't actully put anything onthat website, I went on the domain though.

What do i do now?

**** that makes sense o.O The guy said we have faults with IE and Safari users atm..

May I ask how long they will be able to get on my account for?

Also I am now using Sfari but how do i enable XSS filtering?

May I ask how long they will be able to get on my account for?

Also I am now using Sfari but how do i enable XSS filtering?

Well he won't if you use your email to sign in as it says here.


Also, this will only work on users who logged in using their name and not email. (thanks Loget)

Well he won't if you use your email to sign in as it says here.

Oh fantastic, it doesn't make sense though - I always go through my email now! Do you think habbo are plannin g on only letting you use your email soon, hence why they didn't think about session stealing?

As far as I am aware Habbo are using an email ID service now or something, aren't they?

May I ask how long they will be able to get on my account for?

Also I am now using Sfari but how do i enable XSS filtering?


they can edit cookies so aslong as your on the browser + 10-15 mins afer the sessionid refreshes

so basically what happens:

you visit the link, they have your sessionid and alter it. Wait until you go offline and then have 10-15 mins to transferr stuff

They are ut you dont actually HAVE to use it.

And now another problem comes in. I changed my password and email to brand new ones and typically I have forgotten what I made them too :L

EDIT: Remember my id, so can now eset (after I reset my gmail pword too lol)

Oh fantastic, it doesn't make sense though - I always go through my email now! Do you think habbo are plannin g on only letting you use your email soon, hence why they didn't think about session stealing?

Yes I think so but I am being uber careful about pressing any links on 'habbo' sites at the moment.