Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Chrome Firefox Privacy Security

Firefox and Chrome Pull Popular Browser Extension Stylish From Their Stores After Report Claimed It Logs and Shares Browsing History, Credentials 68

sombragris writes: Stylish, a popular extension available for Chrome and Firefox which allows for easy customization of any website, now phones home and shares its users' browser history with its corporate parent, according to blogger Robert Heaton. This prompted Firefox to ban the extension from its addons site and prompt all users to disable it. The discussion can be seen in the relevant bug report. In Heaton's words:

Stylish is no longer a well-meaning product with your best interests at heart. If you use and like Stylish, please uninstall it and switch to an alternative like Stylus, an offshoot from the good old version of Stylish that works in much the same way, minus the spyware.

Google too has pulled the extension from its extension store. This is not the first time Stylish is at the centre of a privacy debacle

This discussion has been archived. No new comments can be posted.

Firefox and Chrome Pull Popular Browser Extension Stylish From Their Stores After Report Claimed It Logs and Shares Browsing His

Comments Filter:
  • by Anonymous Coward on Wednesday July 04, 2018 @04:13PM (#56893396)

    We now live in "The Internet Economy" where everything is based on "monetizing" the customer.

    • But how bad? (Score:5, Interesting)

      by Anonymous Brave Guy ( 457657 ) on Wednesday July 04, 2018 @04:50PM (#56893530)

      The title suggests that not just browsing history but credentials are uploaded. The latter is potentially much worse than the former. Does anyone have verifiable data on exactly what was uploaded? Does everyone who got caught out by this need to reset their IDs/passwords/whatever on every site they visited while using the extension? Or every site they've ever visited and allowed their browser to store login credentials?

      The new owners could be in pretty deep brown stuff anyway given that this sort of behaviour without explicit consent is now very illegal throughout Europe, but if they were stealing credentials then it would be prudent to reset everything, which of course could mean dozens or hundreds of different sites for some people.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        The "credentials" part of the title is misleading.

        Stylish sends our complete browsing activity back to its servers, together with a unique identifier. [] The SimilarWeb Privacy Policy says that they only collect “non-personal” data, and I assume that this is technically true.

        There is only evidence that Stylish sends home browsing history, but TFA discusses how visited URLs may contain credentials or one-time keys, and how Stylish can link them to a userstyles.org account.

        • I saw that as well; that was what prompted my question. Any sanely implemented site isn't going to be sending things like plain text IDs and passwords as part of a query string, only one-time tokens and the like. It was whether Stylish was intercepting things like form submissions over HTTPS, or somehow scanning saved login credentials stored in the browser, that I was concerned about when I read the title. That would have suggested that users should be advised to change all of those passwords.

      • by thsths ( 31372 )

        Indeed - the later would be criminal in most legislations around the world. There is nothing brown about it, it is a clear black hat activity.

  • by xack ( 5304745 ) on Wednesday July 04, 2018 @04:18PM (#56893414)
    Extentions need to be protected. We need to have a last known good backup system in place for extentions at risk of being hijacked.
    • by Luthair ( 847766 ) on Wednesday July 04, 2018 @04:22PM (#56893426)
      Not sure what one can really do, if a developer willing gives away the keys to the extension.
      • by AHuxley ( 892839 )
        The browser gets an outgoing firewall for the extension? That looks like too much data getting uploaded? Tell the user that an encrypted network was established beyond what was needed for the extension update request?
        • Comment removed based on user account deletion
          • by AHuxley ( 892839 )
            Some standard framework for what an extension can do? Request a version number?
            More data moving out would need user agreement and browser support?
            Make the browser much more aware of what its extensions can do and what more they are allowed to do.
            • And then we can complain that browsers are limiting what extensions can do (like the complaints firefox gets.)

              This is just one of the risks you take when you install an extension. It's up to you to decide if what the extension does is worth the risk.

              I'm down to using almost no extensions and just using my host file to block domains.

    • by Anonymous Brave Guy ( 457657 ) on Wednesday July 04, 2018 @04:55PM (#56893554)

      There is a plague in the modern tech industry, where everything from browser extensions to microlibraries for your favourite programming language is written by someone you've never met, supplied via some sort of centralised repository or distribution channel that you trust instead, and then winds up on your machine doing who-knows-what because that trusted distribution mechanism missed something, or even because the trusted developer of some code you're running, which you downloaded via a trusted source, itself trusted someone else unwisely.

      The solution to this isn't just proper validation of where the code you're downloading actually came from, it's also to have security models more sophisticated than the 1980s in the Internet age. For example, why the hell could a browser extension that was there to modify the appearance of pages you were visiting suddenly choose to upload anything to the mothership without requiring additional permissions?

    • Maybe extensions should be digitally signed like apps are with gatekeeper on osx, or authenticode on windows?
    • by Waccoon ( 1186667 ) on Wednesday July 04, 2018 @09:23PM (#56894346)

      While we're at it, could we also have a mechanism to override auto-updating? It sucks when a developer sells his extension, and then everything auto-updates to the all-new system without appropriate disclosure. One of many reasons I don't want ANYTHING to auto-update anymore.

      • Re: (Score:3, Informative)

        by Anonymous Coward

        If you're on Firefox, go to about:config and flip "extensions.update.autoUpdateDefault" to "false". You can also change this per-extension by clicking on the "More" link on each extension. The first field is "Automatic Updates" and you can choose between Default, On, and Off.

    • Given how browsers have become the primary application for so much sensitive information, I advise people to treat extensions the way they (should) treat any other unknown application. And disable automatic updates. But truth be told most people won't do that because it is a pain.
  • What sad is many will say me included at one time ya get what ya pay for so them become scummy isn't a surprise. The problem is even if you PAY for a product take Windows 10, ya it was free but its not free anymore and the paid version is no different then the unpaid version. All the spyware,data mining,loss of control over ones own setting and program choices are in the PAID version. The one that may allow users to fully control isn't sold to the general public. Point is, paying for stinking product don't
  • Why do companies / people do this when there is *100 percent chance* that they will be discovered and excommunicated from the Internet Universe? One would think they would be a little more sneaky about it.

  • by Anonymous Coward

    As the summary notes, stylish has been suspicious for a while. I switched to stylus [mozilla.org] last time and have been more than happy with it.

  • by Gerald Butler ( 3528265 ) on Wednesday July 04, 2018 @07:31PM (#56894094)

    I was using stylish for quite some-time. I'm disappointed that this kind of breaking of trust occurred with that extension. I've now switched over to stylus instead. It works great (even better than stylish). It seems to behave better, have a better UI, and more stability. So, if you're unsure what to use, definitely give stylus a try.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Can confirm, Stylus works just as well. No modification of my styles were needed.

  • Stylish still exists? We moved on years ago to Tampermonkey.

  • by Chameleon Man ( 1304729 ) on Wednesday July 04, 2018 @11:59PM (#56894696)
    People are concerned with the Cambridge Analytica stuff, where an app scrapes essentially publically-made data of users, but browser extensions are far scarier. If granted the right permissions, they have free reign on scraping password data. I imagine far more extensions are doing it.
  • Someone needs to start a peer-review system for firefox extensions.

    The other day I installed a gestures extension and reviewed the source code myself before installing it for possible telemetry leaking. I didn't have any and it would be nice to upload my results to a website.

    If someone made it nice like stackexchange with points I bet it would take off.

    • I can only imagine that this would start a game, wherein nefarious add-on makers would create fake accounts to use to post positive peer reviews of their extension... There would have to be some kind of trust mechanism included and I'm not sure how that would work.
    • I think it reflects pretty poorly on Chrome how most of the comments are about show we are shocked that this could happen on Firefox. I guess we just took it for granted that it would happen using Chrome.

  • Is this not a crime? Who perpetrated it? Or did everyone who installed the extension agree to a EULA explaining that it did this? If so, I believe the problem is the existence of a EULA. They are too long and complex, nobody reads them, and so they have all kinds of stuff in them. Since people agree to them automatically, they lose their rights to use the legal system that should be punishing these criminals.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...