Category Archives: Apis

Is Facebook Fingerprinting Chrome extensions?

This morning I noticed something new in my Chrome Console while working on a Chrome Extension. It looks like Facebook is now looking to see if you have a set of Chrome extensions installed in your browser. Most of the extensions I looked up on Google’s web store and via their search engine and they look like they are Malware of some sort, but a few of them look like they are much less harmless. It’s hard to see what the extensions actually do because they have been pulled from the Chrome Web Store, but some of these look like they modified the appearance of Facebook intentionally.

Some users don’t like being forced to see walmart colors all over the web and have used various tactics to customize the web to their liking. Some other users might do it for usability reasons or just plain augmentation of the web.

Does Facebook have the right to do this? It feels like an invasion of my privacy. I think the latest version of Chrome protects us from this sort of attack but that does not mean that Facebook won’t invest in other ways to discover this information or that they won’t lobby google to discover it. Some extensions also have the ability to open up channels to other extensions so if facebook had it’s own extension it might still try to fingerprint which extensions are there.

This isn’t all bad, in fact it really depends on how it’s being used. If it’s only used to defend our privacy and security then it seems fine, but if this little trick is being abused this could really sour things.

I guess I am mostly just surprised that Facebook is doing this.

Screen Shot 2012-09-05 at 10.30.49 AM

To get this to occur in your own browser you will need to be a bit sneaky and use a private session. Once Facebook runs the finger print they don’t do it all of the time, I think they only do it on auth and then they cache the result in some way. In fact since some extensions have access to the cookies I wonder if one could ‘skip’ the finger printing by setting the proper cookies or localstorage setting.

Finger Printed Extension IDs

kjafndplmofcedgddaoceenkcbfankem
kincjchfokkeneeofpeefomkikfkiedl
iejbljbhhoclgfiapmomcpkpkcmihfib
lkfhadffdnjnogmgjfihlcmmjhcfchaj
afnnkheojlgkipfabekmdkngocfhegck
hkpibllecmidllaojdmkcmfnoinmejco
gpllafflnmgjjcakjloknldkndnkmcpi
pkhidkonipdjidjglnkfcfhnkfnlefbk
kjafndplmofcedgddaoceenkcbfankem
kincjchfokkeneeofpeefomkikfkiedl
iejbljbhhoclgfiapmomcpkpkcmihfib
lkfhadffdnjnogmgjfihlcmmjhcfchaj
afnnkheojlgkipfabekmdkngocfhegck
hkpibllecmidllaojdmkcmfnoinmejco
gpllafflnmgjjcakjloknldkndnkmcpi

JSLint-Feature – Error Severity

Hi Douglas,
I have been to a good number of your talks, and I love the idea behind JSLint. I even don’t mind it when JSLint makes me cry every now and then, however, I feel like the priority of JSLint should be around launch successful code early and often.

Here at Kabam we build games that run as HMTL5 apps, and recently we have started to use JSLint as part of our build process. In a few cases it has caught some minor errors and we were later able to resolve them.

Our build process uses Jenkins, which is an open source version of Hanson. These continuous build automation tools make use of another wrapper library you might be familiar with. http://code.google.com/p/jslint4java/

So in this sense let’s say a develop wants to add a new piece of code, and this code causes a problem.

JSLint reacts in the following ways,
– it has a an error limit and stops reporting erros after a certain amount
– errors are not prioritized based on ‘newness’ – because that would be hard
– errors are not prioritized based on priority.

The end result is that a team must fix all errors to get the maximum value out of JSLint.

I propose a 2 part solution.
1. JSLint should not set error priority, unless it sets sensible defaults
2. JSLint should report an error code so that a wrapper like jslint4java could use a config file set an error priority.

This would allow teams to triage error types as part of their build/ development process.

On line 1326 you have a function warn() defined I propose it’s written something like so, including a new warning property, defining an error.type property using the bundle[] accessor name as the error code.

If you think of some other change that could get to the spirit of what I am looking for that would be great too. If I get the time I might try to implement a prototype. Hudson and Jenkins have 3 levels of errors, High, Medium, and Low.

Would you have some suggestions as to what would make good defaults for each of the error.types?

I feel like this change would better support agile development and continuous integration, and would allow teams to prioritize their development efforts.

Thank you for being a beacon and leader in the community.

function warn(message, offender, a, b, c, d) {

        var character, line, warning;

        offender  = offender || next_token;  // `~
        line      = offender.line || 0;
        character = offender.from || 0;

        warning = {
            id: '(error)',
            raw: bundle[message] || message,
            type: message,
            evidence: lines[line - 1] || '',
            line: line,
            character: character,
            a: a || (offender.id === '(number)'
                ? String(offender.number)
                : offender.string),
            b: b,
            c: c,
            d: d
        };

        warning.reason = warning.raw.supplant(warning);

        JSLINT.errors.push(warning);

        if (option.passfail) {
            quit(bundle.stopping, line, character);
        }

        warnings += 1;

        if (warnings >= option.maxerr) {
            quit(bundle.too_many, line, character);
        }

        return warning;
    }

Paypal IPN Validation Fails with Adaptive Payments and PHP query/ post parameters

If you are looking for a solution you can find it here.
Thank you Gleb ( http://www.memberwing.com/ )

https://www.x.com/message/158509#158509

The problem comes in how the API is designed, and it takes advantage of a little known feature of query parameters and their allowed characters. Paypal uses array’ed parameters like:

&transaction[0].status=value

The problem is that PHP does not know how to parse the query parameter and either skips it or stops processing the list. ( i can’t remember which ).

Paypal’s Adaptive Payments API is neat and freshens up their functionality, and additionally uses JSON as a communication layer, so I think it’s clearly their future, however, there are a number of little problems like this as you walk through getting up to speed on the API. I hope this helps anyone in the future by saving them an hour to day.

It kinda reminds me of some of the problems we had getting the MySpaceID API up and polished so I guess this is a nod to all of those APIs that do it right the first time.

Cheers.

Getting VerifyStatus API working in Sandbox

There are a few caviots to getting the API working.
I hope this saves someone a few hours/ days.

  • CallerServices.php has a small bug
  • Only Sandbox email accounts work in the sandbox. Thanks for confiming @ppalavilli
  • ALL Sandbox accounts have the First Name: Test Thanks @ppalavilli
  • ALL Sandbox accounts have the Last Name: User Thanks @ppalavilli

If you get a

PHP Warning: Missing argument 3 for CallerServices::callWebService()

On line 101 of CallerServices.php you have:

function callWebService($request,$serviceName,$simpleXML)

It should read: //(most of the calls that use callWebService are parent::callWebService( $request,$serviceName ) anyways.

function callWebService($request,$serviceName,$simpleXML=NULL)
{
$response = null;
try {
    $endpoint=API_BASE_ENDPOINT.$serviceName;
    $response = call($request, $endpoint, $this->sandBoxEmailAddress,$simpleXML);
}
catch(Exception $ex) {
throw new FatalException('Error occurred in call method');
}
   return $response;
}

Here is the code I used. Replace {email} with one of your sandbox email addresses.

public function verify_email($params){
$VstatusRequest = new GetVerifiedStatusRequest();
 
$VstatusRequest->emailAddress = '{email}';
$VstatusRequest->matchCriteria = 'NAME';
$VstatusRequest->firstName = 'Test';
$VstatusRequest->lastName = 'User';
 
$rEnvelope = new RequestEnvelope();
$rEnvelope->errorLanguage = "en_US";
$VstatusRequest->requestEnvelope = $rEnvelope ;
 
$aa = new AdaptiveAccounts();
$response = $aa->GetVerifiedStatus($VstatusRequest);
 
echo json_encode($response);
  }

The JSON encoded object looks like such:

{"responseEnvelope":{
    "timestamp":"2011-03-25T15:37:32.44307:00",
    "ack":"Success",
    "correlationId":"42bce847aebc9",
    "build":"1772158"
},
"accountStatus":"VERIFIED"
}

@jdavid

Paypal X Adaptive Pay FundingConstraint for PHP

The following code is an example of adding the FundingConstraint objects for a payRequest with Paypals new Adaptive Payments. I hope this helps.

$payRequest->fundingConstraint = new FundingConstraint();

//$payRequest
//    ->fundingConstraint
//    ->allowedFundingType
//    ->fundingTypeInfo
//    ->fundingType = "BALANCE";

$payRequest
    ->fundingConstraint
    ->allowedFundingType
    ->fundingTypeInfo
    ->fundingType = "ECHECK";

Vid.ly Beta IE size bug work around

        var n = document.getElementById('vidly-wrapper');
        if( n != null && vidjs.prototype.isIe() ){
            vidjs.prototype.flashMarkup =
                        '<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="{width}" height="{height}">' +
                        '<param name="movie" value="http://vidly.dev.jentek.net/templates/js/player.swf"/>' +
                        '<param name="FlashVars" value="src={file}&skin=http://vidly.dev.jentek.net/skin.xml&scaleMode=none"><param name="AllowFullscreen" value="true"/>' +
                        '<param name="allowscriptaccess" value="always"></param>'+
                            '</object>';
           vidjs.prototype.flashMarkup = vidjs.prototype.flashMarkup.replace("{width}", '610');
           vidjs.prototype.flashMarkup = vidjs.prototype.flashMarkup.replace("{height}", '360');
       
           n.parentNode.removeChild(n);
           new vidjs();
       }
       

A few XPath links to make YQL and HTML scraping easier.

quick and basic
http://www.w3schools.com/XPath/xpath_syntax.asp

great resource for detailed string functions
http://oreilly.com/catalog/xmlnut/chapter/ch09.html

quick list of all of the functions in xpath
http://www.w3schools.com/xpath/xpath_functions.asp

great example of more sophisticated function selectors
http://www.eggheadcafe.com/articles/20030627d.asp

multiple attribute
http://www.coderanch.com/t/128329/XML/XPATH-selection-based-multiple-attribute

fun with concat
http://blogs.sun.com/rajeshthekkadath/entry/xpath_searching_for_a_text

http://www.xml.com/pub/a/2002/08/14/xpath_tips.html?page=3

Federated Twitter bots

Just a quick thought.

I wonder if all of the the twitter bots are a result of people trying to gain free api access to twitter.  Normal rules allow a certain number of requests per minute or or something.  However if yo were to have 1,000 accounts, you could perform 1,000x that number of requests and searches per hour.

I bet if twitter looked for accounts that were performing high volumes of API requests, they would find accounts that were most likely linked to bots.

I am not yet sure if it is worth it for twitter to remove these accounts or if they are oddly good for the ecosystem.