PSA: "Stylish" browser add-on steals your internet history July 3, 2018 7:33 PM Subscribe
The popular "Stylish" browser extension, which allows you to download custom styles for a given site (such as making text more readable, removing UI cruft, or adding a professional white background), has been silently logging its users web activity for the last year and a half. The new owners of the add-on at the time, SimilarWeb, offer products including “Market Solutions To See All Your Competitors’ Traffic.”
While the data is supposedly anonymized, many URLs can be trivially de-anonymized, especially when linked to your cookies on popular sites for downloadable styles, or even just from data in the pages you're visiting such as login or password reset tokens.
Mozilla has removed Stylish from its add-on catalog, but as of this writing it is still available on the Chrome store, and neither is likely to automatically disable or remove the add-on even for your protection.
Alternatives exist, including a fork of the pre-spyware Stylish called "Stylus" for Firefox or Chrome.
However, this is likely an important lesson about the security risks of custom browser extensions... even those originally developed with good intentions can be acquired by people with more sinister and/or incompetent security practices.
While the data is supposedly anonymized, many URLs can be trivially de-anonymized, especially when linked to your cookies on popular sites for downloadable styles, or even just from data in the pages you're visiting such as login or password reset tokens.
Mozilla has removed Stylish from its add-on catalog, but as of this writing it is still available on the Chrome store, and neither is likely to automatically disable or remove the add-on even for your protection.
Alternatives exist, including a fork of the pre-spyware Stylish called "Stylus" for Firefox or Chrome.
However, this is likely an important lesson about the security risks of custom browser extensions... even those originally developed with good intentions can be acquired by people with more sinister and/or incompetent security practices.
Now that I don't have the higher-contrast style applied automatically, I feel like MetaFilter has been reset to its retail settings with the brightness and tint turned to maximum. :(
posted by Riki tiki at 7:45 PM on July 3, 2018
posted by Riki tiki at 7:45 PM on July 3, 2018
I was about to make a post on the blue about this when work got busy! The author of uBlock Origin (gorhil) wrote about this a year ago. The user info is correlated with a unique ID, so SimilarWeb can build a complete profile of you with this stuff.
posted by a snickering nuthatch at 8:50 PM on July 3, 2018 [1 favorite]
posted by a snickering nuthatch at 8:50 PM on July 3, 2018 [1 favorite]
Thanks, Riki tiki - wow I didn't realize Stylish had been sold off last year. Do you (or anyone else) know if the logging has been happening even if the browser extension option for "Send anonymous data to Stylish developers" was disabled? I did a quick search and didn't find anything so far.
Disabled Stylish in my browsers and installed Stylus instead. Another incentive to copy my user styles over to the MeFiScripts github.
posted by rangefinder 1.4 at 8:50 PM on July 3, 2018 [1 favorite]
Disabled Stylish in my browsers and installed Stylus instead. Another incentive to copy my user styles over to the MeFiScripts github.
posted by rangefinder 1.4 at 8:50 PM on July 3, 2018 [1 favorite]
If you opt out, it doesn't send your data to SimilarWeb. At least, last time someone checked...
posted by a snickering nuthatch at 8:54 PM on July 3, 2018 [1 favorite]
posted by a snickering nuthatch at 8:54 PM on July 3, 2018 [1 favorite]
I feel like this could be moved to the blue, for the sake of visibility, and discussion. (Which is to say it's a good post and I think a lot of people would be interested.)
posted by shapes that haunt the dusk at 10:49 PM on July 3, 2018 [11 favorites]
posted by shapes that haunt the dusk at 10:49 PM on July 3, 2018 [11 favorites]
Yup, I'm not a 500px user but I've been following that drama for a little while. Users are not happy about it. Interestingly, with the purchase by Smugmug (who seem to know what they have and want to do well by their users) it turns out that Flickr's replacement is probably Flickr.
posted by Anticipation Of A New Lover's Arrival, The at 5:28 AM on July 4, 2018 [1 favorite]
posted by Anticipation Of A New Lover's Arrival, The at 5:28 AM on July 4, 2018 [1 favorite]
I'm with shapes that haunt the dusk. This really belongs on the blue. Thanks Riki tiiki for the heads-up.
posted by 4ster at 11:32 AM on July 4, 2018
posted by 4ster at 11:32 AM on July 4, 2018
> Mozilla has removed Stylish from its add-on catalog, but as of this writing it is still available on the Chrome store, and neither is likely to automatically disable or remove the add-on even for your protection.
The lastest update to Firefox auto-disables Stylish 3.1.x. There are ways to recover your userstyles from your Firefox user profile, but the recommended workflow will lead you to a file that might be over a year old. To fetch the latest version, you have to do some digging through JSON files in Profiles/[your profile]/browser-extension-data.
posted by ardgedee at 5:37 PM on July 4, 2018
The lastest update to Firefox auto-disables Stylish 3.1.x. There are ways to recover your userstyles from your Firefox user profile, but the recommended workflow will lead you to a file that might be over a year old. To fetch the latest version, you have to do some digging through JSON files in Profiles/[your profile]/browser-extension-data.
posted by ardgedee at 5:37 PM on July 4, 2018
For Safari, the recommended Stylish replacement is Freestyler, with the caveat that it's not as robust, and uses its own styles repository rather than userstyles.org. Freestyler's UI is a pretty dramatic rearrangement but mostly works the same as Stylish does.
On the upside, it looks like Stylish's new owner has ignored Safari entirely; it's still on version 2.0.8, which is pre-takeover. So I'm not certain whether Stylish for Safari needs to be replaced. I've installed Freestyler and copied the rules, but disabled it. Sticking with Stylish for the time being and keeping Freestyler as a backup utility.
posted by ardgedee at 6:00 PM on July 4, 2018 [1 favorite]
On the upside, it looks like Stylish's new owner has ignored Safari entirely; it's still on version 2.0.8, which is pre-takeover. So I'm not certain whether Stylish for Safari needs to be replaced. I've installed Freestyler and copied the rules, but disabled it. Sticking with Stylish for the time being and keeping Freestyler as a backup utility.
posted by ardgedee at 6:00 PM on July 4, 2018 [1 favorite]
Hey thank you -- I was wondering what the warning was this morning.
posted by jessamyn (retired) at 5:24 AM on July 5, 2018
posted by jessamyn (retired) at 5:24 AM on July 5, 2018
« Older Argument clinic: arguing without fighting | Pony request: clearly marked political megathreads Newer »
You are not logged in, either login or create an account to post comments
posted by poffin boffin at 7:38 PM on July 3, 2018 [13 favorites]