Urgent

**AgnesIO** · 24-04-2010, 10:56 AM

Does anyone know anything about habbostyles.com?

dogboy123 · 24-04-2010, 10:57 AM

No idea what it is, why?

**AgnesIO** · 24-04-2010, 11:03 AM

Originally Posted by dogboy123

No idea what it is, why?

Someone came in my room said it is a new rare values site in au, I went on it, then he asks if I prefer logging in with habbo id or username.

Think I might have fallen for a trick.

paramoreriot · 24-04-2010, 11:20 AM

DO NOT GO ON THE SITE I think its session stealer so they can hack you. Make sure you log in with email i think that was safe way. NOT your hab name.

Nixt · 24-04-2010, 11:22 AM

Originally Posted by paramoreriot

DO NOT GO ON THE SITE I think its session stealer so they can hack you. Make sure you log in with email i think that was safe way. NOT your hab name.

If it's asking for Habbo ID - you should avoid it at all costs even if it does offer an alternative login. DO NOT LOG IN WITH YOUR EMAIL as this is equally dangerous, they will probably use it to at least try to access your Habbo Account.

paramoreriot · 24-04-2010, 11:25 AM

Ironic, isn't it? The security check is vulnerable to Cross Site Scripting.

It appears to try sanitise the URL, thus <script></script> tags are useless here, but alas, tags are not necessary to steal a session cookie via this URL.

An XSS hole for Habbo Hotel has not been in the public domain for a long while, so this is our gift to you. It will not last so make the most of it while you can.

If you are not aware, you do not need a user's Habbo name or password to get on their account if you have their session cookie. You can log into your account, sit on homepage, use Firefox's "Add n' Edit Cookies" add-on to set their JSESSIONID as your JSESSIONID, and then all that is required is a page refresh in Habbo Homes to be logged into their account.

A full tutorial on how to steal another Habbo's session (and use it yourself) using the security_check XSS exploit has been compiled for you. For learning purposes only, of course ;]

IMPORTANT: Safari 4 and IE8 with XSS filtering enabled are immune.
Perhaps others also. Test alternative browsers and comment.
Also, this will only work on users who logged in using their name and not email. (thanks Loget)

So email is safe i am 99% sure. So basically for the next while don't go on any sites that you have never been on or simply look weird.
BTW IM NOT ADVERTISING HACKING
Just showing prevention etc

**AgnesIO** · 24-04-2010, 11:40 AM

I haven't actully put anything onthat website, I went on the domain though.

What do i do now?

**** that makes sense o.O The guy said we have faults with IE and Safari users atm..

**AgnesIO** · 24-04-2010, 12:11 PM

May I ask how long they will be able to get on my account for?

Also I am now using Sfari but how do i enable XSS filtering?

Catzsy · 24-04-2010, 12:58 PM

Originally Posted by Android

May I ask how long they will be able to get on my account for?

Also I am now using Sfari but how do i enable XSS filtering?

Well he won't if you use your email to sign in as it says here.

Also, this will only work on users who logged in using their name and not email. (thanks Loget)

**AgnesIO** · 24-04-2010, 02:30 PM

Originally Posted by Catzsy

Well he won't if you use your email to sign in as it says here.

Oh fantastic, it doesn't make sense though - I always go through my email now! Do you think habbo are plannin g on only letting you use your email soon, hence why they didn't think about session stealing?

Thread: Urgent

Thread Tools

Urgent

Posting Permissions