“Stylish” extension with 2M downloads banned for tracking every site visit
Quote:
Google, Mozilla, and Opera have pulled a browser extension with more than two million downloads after it was caught tracking every website its users visited—and sending the data to a remote server.
The Stylish extension allowed users to customize the look and feel of websites in a variety of ways. Among other things, it could remove clutter such as Facebook or Twitter news feeds, change normal pictures to black-and-white manga images, and change black-on-white site themes to white-on-black themes. Starting this year, Stylish started performing these useful functions at a high price: according to software engineer Robert Heaton, the extension started sending users’ complete browsing activity back to its servers by default, along with a unique identifier that in many cases could be used to correlate email addresses or other Internet attributes belonging to those users.
An updated Stylish privacy policy disclosed that the extension collected browsing histories. The version published in May, for instance, said that the information included “standard web server log information (i.e., web request) as well as data sent in response to that request, such as URL used, Internet Protocol address (trimmed and hashed for anonymization), HTTP referrer, and user agent.” Various articles from January, 2017, also noted the tracking but, citing a new owner of the extension, these articles said it would be anonymous. (This despite the fact that many URLs, particularly when stored in large quantities over a long period of time, can make it painfully obvious which individual is viewing them.)
Heaton used a security-testing tool called Burp Suite to analyze precisely what Stylish was doing. He found that it sent a large amount of obfuscated data to userstyles.org, a website under the control of the new Stylish owner. Heaton quickly figured out how to decode the data and discovered it contained an alarming amount detail, including every URL he visited, the actual Google search results from his browser window, and by default a unique identifier (although that can be removed by changing a setting).
Heaton said Stylish has been collecting the browser histories from Chrome users since January, 2017, and from Firefox users since March. Even though the collection was disclosed, it largely escaped the notice of Google, Mozilla, and Opera—not to mention more than two million end users—until Heaton documented it. Officials with Stylish didn’t immediately respond to a request to comment for this post.
Stylish far as I know is the only extension that has the old wrong planet theme written for it.
_________________
Professionally Identified and joined WP August 26, 2013
DSM 5: Autism Spectrum Disorder, DSM IV: Aspergers Moderate Severity
It is Autism Acceptance Month
“My autism is not a superpower. It also isn’t some kind of god-forsaken, endless fountain of suffering inflicted on my family. It’s just part of who I am as a person”. - Sara Luterman
29 Jul 2018, 6:29 pm
