Carter Cole LinkedInCarters Twitter PageCarter Cole on Facebook Carter Coles RSS

Sunday, June 27, 2010

Google Reader Subscriber Statistics API

So im working on v3.0 of SEO Site Tools... its going to totally rock... rebuilt from the ground up it now takes advantage of the new abilities of HTML5... things like SQL Db from HTML5 spec to provide result caching and historical data on almost every metric. Tons of useful SEO metrics can be pulled out of Google Analytics data but its often hard to get it without using an external server to proxy the information or having to give your password... but with oAuth Authentication to your your copy of SEO Site Tools gets a secure token to your Google Analytics Data can easy be revoked and all processing and data storage happens right on your computer. But enough promoting here is one of the new data sources im introducing... RSS can bring many return visitors if a blog is regularly publishing so how many subscribers do they actually have? well ive hooked into the unpublished Google Reader API to create my own public API. Now SEO Site Tools or your mashup can use subscriber stats as another data source so the data you see here
can now be used anywhere... its up to you the API now spit out all the info... it returns JSON(P) but i think i may also add XML support later... for xml include output=xml and there is the optional callback= parameter to do JSONP

All code is on original post

thats going to call the function soMZcb(obj) with the following object as its first parameter
theres a TON of data they return but some of the coolest stuff are chart api urls to show you all the subscriber usage stats as well as total subscribers and when they read

if you have any question feel free to ask me id be happy to help... look for all this new data in SEO Site Tools v3.0 its on its way with even more speed and features than ever!

Wednesday, June 23, 2010

Google Talk Status API... now its easy to style your gtalk badges however you like

Google talk is awesome... and for awhile i had the big stupid badge that would show if i was online or not with a click to chat button...

i wanted to be able to use this again and style it to my liking (im just crazy about my html) so i created my own API to pull the badge and return its info as JSON. i tried to do this with YQL but they cache the requests so i had to do it from my server

so heres the super simple script and how to use it
the api is at[appid]

first your going to need to create a badge... (that will let us query your status from a public location)
next you need to find your badge id. if this is the iframe url for the badge the bold part is the id (or the tk= parameter). thats the badge id you need to pass to the api as the tk= parameter :) along with the optional callback= parameter so result is returned as callback({Object}) so the script can be used as JSONP (see explanation here) heres an example of what it returns (including optional callback)

you must be on main post to view code

thats about it but before one last thing ill do... heres a quick example of its use.

and heres that script live right here... (i tweaked it a bit for better output) if you have any questions then just click below im usually online :)

Tuesday, June 22, 2010

Social Engineering + Encoded Javascript = Facebook XSS The Attack Explained


Ok good news guys... they have removed the page finally! but i reported them like 3 times and there was no "this page is hacking" button... i think its stupid this grew to over a few hundred thousand duped before Facebook found and removed it... i even tweeted to them about this article after i made some javascript to pull the pages likes and update the count dynamically

@facebook theres a page serving #XSS! read my analysis of #exploit code here #facebook #socialengineeringless than a minute ago via bitly

Facebook needs to have a better way to deal with these kinds of attacks... or at least a way to report them more easily...

Original Post

A friend who i never talk to just sent me to this page on facebook... its the "The Most CRAZIEST & EPIC Facebook Break Up Ever! Absolute MUST SEE!" i usally never trust these things but they had some custom FBML so i wanted to see what was up... after you like the page you get access to the exploit code ive copied below... It gives instructions to paste the code below into address bar. Now i totally thought it was suspect but ive seen things like this do cool easter eggs before so i tried it... then i get a notification "Your invitations have been sent." doh! ive been duped... but i dont feel so bad because they have


 so im just one of many. now lets see whats going on...

You must view original post to see code...

Now let me just run some carter magic on this and lets see what its doing... first it creates a link on the page, then simulates a mouse event to that link... there are then 3 function set on timers to hide the dialog, select all contacts, submit the form and then replace the container with a iframe serving spam...

i gotta admit pretty well done... get the users to run the exploit for you and because facebook makes it so hard to report hackers i bet i have infected many of my friends and have no way of stopping or recovering the notifications. I looked everywhere and i cant find any way to see a log of what ive sent and how i can recover those messages

Lame Facebook Lame!

Wednesday, June 9, 2010

Caffeine is live! i think i was close enough to say im right

Its been reported like crazy everywhere else... (178,000 times in last 24 hrs) but what is it? Basically they made their index completely fluid where they can scale and insert at any time to their hearts content... you should read the official post on some of their little factoids... like  
In fact, every second Caffeine processes hundreds of thousands of pages in parallel. If this were a pile of paper it would grow three miles taller every second. 

crazy stuff... and this is the prediction i made... that new layout would drop abound time of caffeine. i think i was close i think its something like 2 months and unless im told otherwise its been my understanding its been being tested and rolled out more and more this whole time (matt cutts said it didnt have anything to do with "may day" update )

so if you have any questions or anything to add please bother me below...