Firefox and Chrome Pull Popular Browser Extension Stylish From Their Stores After Report Claimed It Logs and Shares Browsing History, Credentials

← Back to Stories (view on slashdot.org)

Firefox and Chrome Pull Popular Browser Extension Stylish From Their Stores After Report Claimed It Logs and Shares Browsing History, Credentials

Posted by msmash on Wednesday July 4, 2018 @10:00AM from the end-of-road dept.

sombragris writes: Stylish, a popular extension available for Chrome and Firefox which allows for easy customization of any website, now phones home and shares its users' browser history with its corporate parent, according to blogger Robert Heaton. This prompted Firefox to ban the extension from its addons site and prompt all users to disable it. The discussion can be seen in the relevant bug report. In Heaton's words:

Stylish is no longer a well-meaning product with your best interests at heart. If you use and like Stylish, please uninstall it and switch to an alternative like Stylus, an offshoot from the good old version of Stylish that works in much the same way, minus the spyware.

Google too has pulled the extension from its extension store. This is not the first time Stylish is at the centre of a privacy debacle

5 of 68 comments (clear)

Min score:

Reason:

Sort:

We need an extention protection mechanism by xack · 2018-07-04 09:18 · Score: 3, Informative

Extentions need to be protected. We need to have a last known good backup system in place for extentions at risk of being hijacked.
1. Re:We need an extention protection mechanism by Anonymous Coward · 2018-07-04 15:08 · Score: 3, Informative
  
  If you're on Firefox, go to about:config and flip "extensions.update.autoUpdateDefault" to "false". You can also change this per-extension by clicking on the "More" link on each extension. The first field is "Automatic Updates" and you can choose between Default, On, and Off.
If you were using stylish on Firefox.... by gerald.edward.butler · 2018-07-04 12:31 · Score: 5, Informative

I was using stylish for quite some-time. I'm disappointed that this kind of breaking of trust occurred with that extension. I've now switched over to stylus instead. It works great (even better than stylish). It seems to behave better, have a better UI, and more stability. So, if you're unsure what to use, definitely give stylus a try.
1. Re:If you were using stylish on Firefox.... by Anonymous Coward · 2018-07-04 15:46 · Score: 2, Informative
  
  Can confirm, Stylus works just as well. No modification of my styles were needed.
Re:Spot the blame-jumping by Anonymous Coward · 2018-07-04 18:23 · Score: 2, Informative

Maybe there needs to be some kind of permissions system for extensions so that the user is prompted to grant access to things like history, credentials, form fields, user key-strokes, etc.
There is. That's part of the new extension system. The concept of permissions is fundamentally at odds with the old extensions system and was one of reasons for the new extension system.
Unfortunately, as pointed out elsewhere in this thread, there's no way to implement Stylish such that it doesn't have the rights to leak every URL you visit, since it can just add extra CSS that sends that information back via loading an image on its remote server. Of course, uMatrix or similar could block such a thing, but that's definitely a tool for advanced users.