The XSS hole I found in Google Analytics

---

The exposure of this attach was very minimal... they didnt validate the protocol against the list of options provided. Even though this has been fixed I still have a profile that has chromes special protocol on the analytics of one of my extensions

By using the chrome developer inspector you can modify the option list and add any protocol you want, well at least when it worked

Github badges the easy way

---

I have a big problem with scope creep... its one of the things ive been trying to work on as a developer but its just funny to me that I would have scope creep on a blog post. This entire post came out as scope creep of my previos post because I wanted an easy way to add one of the Github ribbons that say "fork this repo". My problem came when i tried to use the code from this page on github blog but it didnt work unless it was injected into the body... so i decided to write a simple script to inject the badge with javascript so all you have to do is include a little script tag with your username, the repo and what color and it would automatically drop it on the page
These are the options you can pass in the querystring to change how it will be rendered &usr= This is your github username &repo= This is the repo to link to &side= What side ['left' or 'right'] &color= The color of the ribbon ['red','orange','dblue','lgrey','green','white']
If you want to implement something thats not cross browser then you should check this out. I really like what this guy did with his css3 version that has a special message when you mouseover

And just so you can see what gets onto the pages... you can choose left or right the colors are the same

Spelling in Node just got easier with gSpell

---

I've been doing alot of programming in node.js and I like to play with undocumented APIs so it seems natural when I needed to do some spell checking I decided to use the undocumented XML API that Google uses to do spell-checking in the firefox toolbar. I published the package into npm (the package manager for node.js) so to install all you have to do is

npm install gspell

and its easy to check any text and it seems to be able to process pretty long strings the script below shows how to check a string of text it returns the result as the second argument to the callback function. Heres a JSON dump of the object it returns. in the array c there is an object for each spelling mistake. Ive actually augmented the results the api returns to add the word it found that it thinks was mispelled I used xml2js to parse the XML the REST API returns and request to make the http calls. If you know of any changes that should be made just fork the repo and make a pull request

Godaddy Extortion for a Wordpress Install

---

I want this post to be a quick one but I hope it points out the type of crap companies do to try and grab money. Most cPanel (its the most common hosting control panel) installations have some kind of autoinstaller for open source packages, and wordpress itself is a super easy install but some hosting companies try and get you to pay for more than you need. Most hosting bandwidth for small sites is never used... they buy too big a package and the truth is its best to start small and upgrade when you need to.

Godaddy seems to be getting into this practice of overselling services... I understand the upsell when im checking out but the truth is for most domains I dont need to buy the common spelling mistakes for my domain or every single ccTld but hey you try and sell and we decline that fine. When I saw this I was just kinda sick, I can do a Wordpress install in less than 10 min but most users cant so what does Godaddy do? They make it so the novice users has to pay more to install something that super easy anyways and has many tools that allow it to be auto-installed. There is no reason Godaddy to charge extra for installing the application, it costs them absolutely nothing to host those tiny Wordpress blogs and they are just doing a money grab and adding no value... 

SO if you need a Wordpress blog fast and cheap just go here and send me 5 bucks... ill get you setup for a one time fee and you wont have to keep paying those hosting companies for a bunch of bandwidth you dont need just so you can install Wordpress easily

Get Wordpress setup for 5$

Google gets graphing (and copies Bing / Wolfram Alpha)

---

One of the things Bing first did while they were trying to catch up with Google was partner with Wolfram Alpha the computational knowledge engine and it gave them the ability to graph math functions and such... it was actually pretty cool. I was like hey now i have a reason to go do a Bing query... so i had a little giggle today when i read the post on their blog "Showing some love to math lovers" where they are now doing graphs just like bing has (with the Google rainbow logo colors of course )
its actually pretty cool im looking for more cool equations so comment if you know any good ones... and with that i leave you with the idea that the big g can now graph love

How to "Hack the vote"

---

I often like to tinker with computer security, it provides alot of cool problems to solve and when im able to figure something out im excited because beyond script kiddie SQL injection (on my own databases) and some XSS im a pretty tame "hacker" (i did find a hole in Wells Fargo) so I happen upon a online voting contest running locally in Houston and I assumed they built their own voting system and i wanted to know what precautions they took against cheating. Its a hard problem to solve, i mean "click fraud" by Google made Bing look foolish and then there are things like astorturfing with mechanical turk so its a hard problem to solve and might not be the best case for "roll your own"

So anyways these CultureMap guys wrote a post about how they caught a cheater... The funny thing is I had already asked my boss if we wanted to cheat at this... and i was going to cheat the right way. (so it all looks natural and you dont get caught) As I dug into reverse engineering their system it turns out they used a simple GET request for voting which brings up some interesting issues. First if its a simple GET request is all you need then you can make a webpage that makes people autovote by dropping the vote url into the src of an image element (then when it tries to load the image it autovotes) you also run the risk of GoogleBot crawling and voting... this was a big problem in the early days where the "delete" link in some admin dashboard somehow was publicly crawled and everything got deleted as google crawled each delete link. Same thing happened to their system... you can see in this google query all the "Thanks for voting" messages google saw and indexed. That means that google got its say in who won the contest :) and another issue with this voting thank you page is that anything you put into the url is written directly to the page.We call that an XSS or Cross Site Scripting attack... that will let me craft urls to do all kinds of fun stuff like make you link to me or steal the login cookies to your admin section. Heres just one example of what you can do injecting stuff into a page

One way you can try and cut down on cheating is to block votes from same ip but then everyone in a office only get one vote (because they all use the same ip) This is what another contest I decided to play a little dirty in did. So how did i get around the ip based block? Proxies Proxies Proxies!  after geocoding Im able to choose which proxies to use and send request in a random way so it all looks like normal traffic. You can see my blog in the site entries list i was down by hundreds and caught up in just a few hours... probably raised some flags for the people running the contest :)

So what are the takeaways?

If your running the contest

1. Use a form POST to make the vote it will be harder to trigger and google wont be voting in your contest
2. Geocode requests to make sure they are from the right region, this will help you detect somebody using proxies all in china
3. Have some type of ip based reporting so you can try and catch big blatant offenders

If your "hacking" (or cheating) at a contest

1. Sniff the http traffic so you can know how to spoof the request identically to the original
2. Geocode the proxies you use and make sure they are coming from a county thats allowed to participate
3. If they use a GET request to vote laugh about it and post the auto-vote url everywhere (posting to twitter will get about 20 random crawler to hit the link an vote as soon as the tweet is made)

Heres yet another sneak peek of the new Facebook Timeline

---

 When you go back to your homepage you will see a little alert like below, if you dont see it right away dont worry it will show up eventually. Accept the dialog and it will take you through a tour of the new profile. I think they are doing this to try and sell the new look to the users as they have just made the sweeping change without notice without and explanation
So first they tell you about this new cover thing thats like a big picture to explain yourself in a giant banner type thing but theres still a profile picture is just a separate cutout over your cover
and then we have the dont worry all your stuff is still here its just in a different place thats even better step to explain that its all still ok
Then you got the all activity button that shows everything from the beginning of your birth all the way to your death unabridged including all that has been redacted from public view
And then they explain how you should love them forever for giving you access to your whole life all over again. I know im getting just a touch sarcastic but really whats the purpose of this tour?
And their tools for searching timeline for what you want to redact seems pretty sucky... there may be potential for a application right there. So after all that they dump you here and let you decide when you want to push your timeline profile public

Software engineers by the numbers [infographic]

---

I dont want to make it a regular thing just to republish other peoples infographics but this one was really cool to me. I may start to republish some of these with some more commentary I really like to do stuff for conversion rate optimization... Im finally getting some clients who can really benefit from it so we are getting to do alot more. (No im not jumping topics talking about CRO this infographic is from the CRE guys)

Rule the browser creating google chrome extensions

---

So i guess its a little late but I gave my first real talk at a conference... I think i may have gone too technical and I was so nervous if you decided to turn this into a drinking game ever time I said like or um you are probably likely to get alcohol poisoning but practice makes perfect I guess. I wanted for everyone to see how easy it was to get started creating google chrome extensions so this video could probably be called a crash course and hello world all rolled into one. I created a mind map you can use to navigate around and ive made all the code used in the video available on github so you can download the code and follow along. you can get the code from here its the

Git Repository (Source Code)

or Download the Zip

And all that remains is me talking like a total nerd for an hour about programming an extension so heres the video If you have any feedback for how I can improve my speaking or any comments on the code I would love to hear from you or just bother me on twitter im @cartercole

Google Wave Sunsetting in 2012

---

So Google has finally announced exactly when it plans to kill wave. It seems to be in alignment with their recent push to show a cohesive design in all their products and taking a much more focused vision... i mean they are shutting down google labs... crazy. so anyways heres the email

talk about it cry i mean we use it all the time at my office so i guess we will be setting up our own wave server... i never got into building one of the plugins (othello) but w/e

Google Detects SERP hijacking on your computer

---

So search engines have been working more and more on security (im mostly taking about the big G and B) they both actually will alert you when they detect weird stuff on your domain or hacker scripts and Google will let you know you need to update wordpress so i think this is way cool... we have seen virus that rewrite all the search results but now Google can detect the SERP hijacking and warn you about it with a little message at the top. Super cool! I just want to know how they detect the request is begin made from malware... is it only detect one kind or is it a generic heuristic based solution?

The Google Wonder Wheel has disappeared!

---

After the new Google Plus update it seems that some SEO's favorite related keywords tool is gone... I had just finished a wonder wheel scraper so i went and got the url that wonder wheel used to be at. When i run a search I get this error message:

"The search option you have selected is currently unavailable"

So i guess its good that it says its currently unavailable because that implies that it may be back soon... some people were thinking that they had just left it off the UI accidentally, but the exact same thing happened around the last "Instant" update where you had to turn it off to see the option

Sorezki SEO Plus stole its code from SEO Site Tools... and heres the proof

---

Imitation is the sincerest form of flattery... unless they are stealing your code

Hey there! I'm Carter Cole, the developer of the wildly popular SEO Site Tools Google chrome extension. It's currently boasting a little over 34,000 active users and it's my 2nd most pride and joy (I've got a son, Seth). My extension took a lot of hard work and time to create and today I found someone had stolen my work and reskinned it, calling it their own, adding only minimal changes to the ui and almost no functionality. As a kind of counter, to hopefully shame the person who stole my code, I'm going to run through all my code. How it works, the history of how I created it, then im going to show the copied UI elements and finally I'm going to show the copied code stolen from my extension.

Skip to copied code or Skip to copied UI (warning i kinda go on a rant to explain why I care so much about this little tool).

I like to think of my tool as the Borg of SEO tools. I first got the idea to build it when I heard SeoMoz had a free API. I hoped to create a 1 to 1 copy of the SeoMoz extension for Firefox as a Google Chrome extension and give it to SeoMoz to try and give credibility to get a job there and also to take credit for the chrome version. They didn't want to go for that and were going to keep it in-house but would help and give feedback. After my first prototype it felt like something was lacking. There were so many more data sources that the moz tool didnt show... So I downloaded every Firefox and chrome SEO Extension I could find and started sniffing the API calls they made (or scraped off serps, the best way to do this is with something like Fiddler). By combining only the metrics that really matter and adding in a few of my own ideas I had something awesome. Thats why I call it the Borg, it was made by replicating the best parts and as soon as another extension (in this case that was "Chrome SEO") created a new feature I would replicate (but not steal) the functionality and add it to my tool. I was doing almost weekly update and the user-base was growing like crazy. Then I got a new job and things stagnated. My extenstion is run on almost 10k pages a day and because of scope creep I've lost sight of my original goals and haven't made an update in months. I really need to block out time to make updates. My tool getting stolen has been a rude awakening that I need to get coding again. So enough about why this matters so much to me. I'll get into how they stole my tool.

Now, because of the nature of Google Chrome extensions (they are all just HTML and JavaScript) it's quite difficult to protect your source code so you expect it to be seen. Knowing this, I didn't even try to obfuscate the code because its pretty easy to reverse and if they really want the code they will get it. But there are some trade secrets you want to keep so you do them in a way that's not that hard to figure out but will trick a few. One of the problems I identified with SeoQuake (my closely following competitor) was that they only hit one Google datacenter, that caused there pagerank queries to look automated and thus get the violation of tos message. Google has tons of datacenters and I figured not all of them are telling each other who's asking for pagerank, so if we loop through all of them then we will have a kinda snowshoe that will let us make as many pagerank queries as we want without hitting those rate limiters. Cool, eh? Well, here they are, all the Google Datacenter IPs DWORD encoded to try and help hide what they were. They appear in my SEO Site Tool like this: and here is the stolen copy... on his server. Hmm, those kinda look the same... that's a little weird! But hey, I mean, that's just some regex and IP constants. There's nothing really magic in there right? Not so bad.
Then we look at the gwebtools.js. It's obfuscated on his server, where it's here gwebtools-remote.js but that packer is easily defeated by the JS Beautifyer and we find that its an exact copy. Except, he removed my branding logo.

The MozCation should definitely add Houston, TX to its list of stops

---

SeoMoz should definitely make its way to Houston, TX we are the forth largest city in the us and have a large techie/nerd population, there's great food and honestly there are a few SEO meetups that have stagnated and we need your help to get the excitement for optimizing websites and producing great content.
You should hurry up... i think Roger the MozBot is already on his way :)

ReTweets help nominate houston

What it looks like if Google detects an exploit on your domain

---

I recently did a post on the lisamoon SQL injection attack and one of the cool things about it was that google detected the attack, showed where it was living on the domain and processed the reconsideration request very promptly

When you enter into Google Webmaster Tools and they have detected a malicious script or exploit on your domain they will show you a red alert warning you of the infection

After you have gone and and cleaned everything up and hopefully closed any of the SQL injection holes their malicious hacker crawler found then you can tell Google to stop showing that giant red warning when people are going to pages that were infected
The alert seems to be generated automatically so im pretty sure it reruns the automated scan that detected the problem in the first place. But based on the response time Im gonna say there is no human verification of the removal of the malicious code.

Some things to note while you working on getting it clean if that the big red warnings that try to send users away are created at a url or folder level so by renaming files you can make the warning go away even before Googles security bot has checked for infection again

The easiest way to do the renaming would probably be using the .htaccess file and rewriting the url to a new name and adding a canonical tag to the page