[RESOLVED] Zynga Poker and NoScript

[centaurius]

It seems they had some problems in their service thats why the XSS warning came up again, still after 2 hours its back to normal, and i'm using the 1st code u gave me. So it's all good for now, if it "blocks" again i'll try the 2nd code u provided. Thanks

[Aye]

The Zynga poker game on facebook doesnt work for me since the last noscript update.... could you fix that? Or give me some help?

Thanks

Aye

[Giorgio Maone]

What kind of problems have you got, exactly?
Maybe this?

[Aye]

Aww sorry, should have googled it....

Thanks, solved my problem =D

Aye

[isxrc]

I am having a problem with Zynga Poker not working properly with NoScipt installed.

I followed the instructions in the post below and added the exception code in firefox and in noscript ^http://facebook\.poker\.zynga\.com/poker/
and also tried with and without the ^ and problem still persists....

i would have added to the below post but it is already closed...any ideas please....

thanks in advance

http://forums.informaction.com/viewtopi ... 80&start=0

[nimd4]

Absolutely no idea what I was tryin' 2 say here, had 2 edit, sorz; tnx. :)

[mandyw]

Just an FYI!

I wouldn't disable NoScript entirely on any Zynga games right now. A lot of accounts are being hacked because they're literally exposing all of your session keys, so a hacker just needs the long url to access your player account directly from the iframe that sits on Zynga's server. They switched to iFrames recently, instead of FBML via FB's api to Zynga's server. Apparently, Zynga needs all the data in the URL to track a user across frames. I definitely would NOT post that long url. I've tested, and had no trouble going into another players account via two other games (not poker because I don't play it). It's very easy to trick Zynga's server by loading the long url's variable from their side and blocking any check back to Facebook.

[jacky andrey]

URL ?

[mandyw]

URL ?

It's the URl someone posted on page one of this thread but the url keys are only good for 24 hours. Zynga apparently stores those keys and uses them to authenticate the user. They store all of the values so you need the entire string of variables to trick their server. One letter off and it redirects you back to Facebook's login. If you can get that url within 24 hours of the keys being generated and know how to separate the game from facebook, then you can take over the person's account from Zynga's server. It's unfortunate because players keep innocently posting the urls.

[mandyw]

Just keep in mind that NoScript is blocking the url for a reason. It doesn't work when blocked because Zynga's sever is looking for an exact match on the url string. It only takes one bad player to find a way to execute javascript off their server to put everyone at risk. It also only takes one post of an iframe url to give someone access to your account. Simply doing a right-click and copy or open url exposes the long url. Of course, you could just repost the un-sanitized link on a security forum and invite hackers to your poker account. Sorry for the sarcasm but i'm surprised someone posted the detailed info to this forum. Hopefully, the user wasn't hacked and didn't suddenly find his/her chips missing. At this point, the stored keys are long expired.

[Giorgio Maone]

Sorry for the sarcasm but i'm surprised someone posted the detailed info to this forum.

As far as I can tell that info is worthless without user's session cookie (luckily so).

[MandyW]

Sorry but that's not true. I can show you on my screen exactly how it's done but as I mentioned, the keys expire..

[MandyW]

Sorry but just to clarify...

In the case of the post on page 1, the session has since expired so it's worthless now. At one time, it was valid for about 24 hours.

If you closely examine the link and variables, you will find that all of the user's apps.facebook.com session cookies are in the url, as well as the user's FB permissions for the specific app.

[Giorgio Maone]

you will find that all of the user's apps.facebook.com session cookies are in the url

It's quite brain damaged then, as this info could be logged on completely unrelated web servers (e.g. advertising or widget providers) through the referrer header.
However, that's Facebook after all...

[Guest]

I had this noscript block my poker game too blocking my poker game. I must of hit block somewhere along the line. I couldn't play for months. I kept trying to see how to unblock the poker game and couldn't get it figured out that way. I finally just unistalled the Noscript and reinstalled it and now the Zynga poker works fine. Do the same and it should work for you. I hope this is the answer that will help you solve your problem.