Firefox and Chrome Pull Popular Browser Extension Stylish From Their Stores After Report Claimed It Logs and Shares Browsing History, Credentials

sombragris writes: Stylish, a popular extension available for Chrome and Firefox which allows for easy customization of any website, now phones home and shares its users' browser history with its corporate parent, according to blogger Robert Heaton. This prompted Firefox to ban the extension from its addons site and prompt all users to disable it. The discussion can be seen in the relevant bug report. In Heaton's words:

Stylish is no longer a well-meaning product with your best interests at heart. If you use and like Stylish, please uninstall it and switch to an alternative like Stylus, an offshoot from the good old version of Stylish that works in much the same way, minus the spyware.

Google too has pulled the extension from its extension store. This is not the first time Stylish is at the centre of a privacy debacle

But how bad?

[Anonymous+Brave+Guy]

The title suggests that not just browsing history but credentials are uploaded. The latter is potentially much worse than the former. Does anyone have verifiable data on exactly what was uploaded? Does everyone who got caught out by this need to reset their IDs/passwords/whatever on every site they visited while using the extension? Or every site they've ever visited and allowed their browser to store login credentials?

The new owners could be in pretty deep brown stuff anyway given that this sort of behaviour without explicit consent is now very illegal throughout Europe, but if they were stealing credentials then it would be prudent to reset everything, which of course could mean dozens or hundreds of different sites for some people.

Re:But how bad?

The "credentials" part of the title is misleading.

Stylish sends our complete browsing activity back to its servers, together with a unique identifier. [] The SimilarWeb Privacy Policy says that they only collect “non-personal” data, and I assume that this is technically true.

There is only evidence that Stylish sends home browsing history, but TFA discusses how visited URLs may contain credentials or one-time keys, and how Stylish can link them to a userstyles.org account.

We need to not keep trusting everyone's software

[Anonymous+Brave+Guy]

There is a plague in the modern tech industry, where everything from browser extensions to microlibraries for your favourite programming language is written by someone you've never met, supplied via some sort of centralised repository or distribution channel that you trust instead, and then winds up on your machine doing who-knows-what because that trusted distribution mechanism missed something, or even because the trusted developer of some code you're running, which you downloaded via a trusted source, itself trusted someone else unwisely.

The solution to this isn't just proper validation of where the code you're downloading actually came from, it's also to have security models more sophisticated than the 1980s in the Internet age. For example, why the hell could a browser extension that was there to modify the appearance of pages you were visiting suddenly choose to upload anything to the mothership without requiring additional permissions?

Re:We need to not keep trusting everyone's softwar

[stoborrobots]

As the grandparent pointed out, you haven't solved anything.

Even if the plugin is only allowed to insert valid css into the page, it can send information back to any site on the internet, by using css properties which take url values, including background. The ability to send data to an arbitrary server is implicit in the ability to inject css into a page.