Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox and Chrome Pull Popular Browser Extension Stylish From Their Stores After Report Claimed It Logs and Shares Browsing History, Credentials

Posted by msmash on from the end-of-road dept.

sombragris writes: Stylish, a popular extension available for Chrome and Firefox which allows for easy customization of any website, now phones home and shares its users' browser history with its corporate parent, according to blogger Robert Heaton. This prompted Firefox to ban the extension from its addons site and prompt all users to disable it. The discussion can be seen in the relevant bug report. In Heaton's words:

Stylish is no longer a well-meaning product with your best interests at heart. If you use and like Stylish, please uninstall it and switch to an alternative like Stylus, an offshoot from the good old version of Stylish that works in much the same way, minus the spyware.

Google too has pulled the extension from its extension store. This is not the first time Stylish is at the centre of a privacy debacle

13 of 68 comments (clear)

  1. Bad - but not surprising or unexpected by Anonymous Coward · · Score: 5, Insightful

    We now live in "The Internet Economy" where everything is based on "monetizing" the customer.

  2. We need an extention protection mechanism by xack · · Score: 3, Informative

    Extentions need to be protected. We need to have a last known good backup system in place for extentions at risk of being hijacked.

    1. Re:We need an extention protection mechanism by Luthair · · Score: 3, Insightful

      Not sure what one can really do, if a developer willing gives away the keys to the extension.

    2. Re:We need an extention protection mechanism by Waccoon · · Score: 3, Insightful

      While we're at it, could we also have a mechanism to override auto-updating? It sucks when a developer sells his extension, and then everything auto-updates to the all-new system without appropriate disclosure. One of many reasons I don't want ANYTHING to auto-update anymore.

    3. Re:We need an extention protection mechanism by Anonymous Coward · · Score: 3, Informative

      If you're on Firefox, go to about:config and flip "extensions.update.autoUpdateDefault" to "false". You can also change this per-extension by clicking on the "More" link on each extension. The first field is "Automatic Updates" and you can choose between Default, On, and Off.

  3. But how bad? by Anonymous+Brave+Guy · · Score: 5, Interesting

    The title suggests that not just browsing history but credentials are uploaded. The latter is potentially much worse than the former. Does anyone have verifiable data on exactly what was uploaded? Does everyone who got caught out by this need to reset their IDs/passwords/whatever on every site they visited while using the extension? Or every site they've ever visited and allowed their browser to store login credentials?

    The new owners could be in pretty deep brown stuff anyway given that this sort of behaviour without explicit consent is now very illegal throughout Europe, but if they were stealing credentials then it would be prudent to reset everything, which of course could mean dozens or hundreds of different sites for some people.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    1. Re:But how bad? by Anonymous Coward · · Score: 2, Interesting

      The "credentials" part of the title is misleading.

      Stylish sends our complete browsing activity back to its servers, together with a unique identifier. [] The SimilarWeb Privacy Policy says that they only collect “non-personal” data, and I assume that this is technically true.

      There is only evidence that Stylish sends home browsing history, but TFA discusses how visited URLs may contain credentials or one-time keys, and how Stylish can link them to a userstyles.org account.

  4. We need to not keep trusting everyone's software by Anonymous+Brave+Guy · · Score: 4, Interesting

    There is a plague in the modern tech industry, where everything from browser extensions to microlibraries for your favourite programming language is written by someone you've never met, supplied via some sort of centralised repository or distribution channel that you trust instead, and then winds up on your machine doing who-knows-what because that trusted distribution mechanism missed something, or even because the trusted developer of some code you're running, which you downloaded via a trusted source, itself trusted someone else unwisely.

    The solution to this isn't just proper validation of where the code you're downloading actually came from, it's also to have security models more sophisticated than the 1980s in the Internet age. For example, why the hell could a browser extension that was there to modify the appearance of pages you were visiting suddenly choose to upload anything to the mothership without requiring additional permissions?

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  5. If you were using stylish on Firefox.... by gerald.edward.butler · · Score: 5, Informative

    I was using stylish for quite some-time. I'm disappointed that this kind of breaking of trust occurred with that extension. I've now switched over to stylus instead. It works great (even better than stylish). It seems to behave better, have a better UI, and more stability. So, if you're unsure what to use, definitely give stylus a try.

    1. Re:If you were using stylish on Firefox.... by Anonymous Coward · · Score: 2, Informative

      Can confirm, Stylus works just as well. No modification of my styles were needed.

  6. Re:Spot the blame-jumping by jaa101 · · Score: 2, Insightful

    the real blame lies squarely with the FF devs.

    Wrong.

    On what fscking planet is there justification for ALLOWING an extension to access history in the first place?!

    For examples, try searching for Firefox extensions involving history.

    Maybe there needs to be some kind of permissions system for extensions so that the user is prompted to grant access to things like history, credentials, form fields, user key-strokes, etc. Until there is, understand that you need to trust your extensions just as much as you have to trust the browser itself. This shouldn't be a surprise to anyone.

  7. Bigger deal than what Facebook's doing by Chameleon+Man · · Score: 2

    People are concerned with the Cambridge Analytica stuff, where an app scrapes essentially publically-made data of users, but browser extensions are far scarier. If granted the right permissions, they have free reign on scraping password data. I imagine far more extensions are doing it.

  8. Re:Spot the blame-jumping by Anonymous Coward · · Score: 2, Informative

    Maybe there needs to be some kind of permissions system for extensions so that the user is prompted to grant access to things like history, credentials, form fields, user key-strokes, etc.

    There is. That's part of the new extension system. The concept of permissions is fundamentally at odds with the old extensions system and was one of reasons for the new extension system.

    Unfortunately, as pointed out elsewhere in this thread, there's no way to implement Stylish such that it doesn't have the rights to leak every URL you visit, since it can just add extra CSS that sends that information back via loading an image on its remote server. Of course, uMatrix or similar could block such a thing, but that's definitely a tool for advanced users.