from Hacker News

“Stylish” browser extension steals all your internet history

by mbaye on 7/3/18, 5:37 AM with 157 comments

  • by mcjiggerlog on 7/3/18, 7:48 AM

    This is a huge problem for the extension ecosystem in general. Who originally publishes an extension may not be the same entity that is pushing you updates in two years time, and there's no way as a user to know this.

    I publish a few extensions [1] [2] [3] and have been contacted multiple times by companies asking to buy them for several thousand dollars. They told me the going rate was 0.20 USD per user. You can imagine what kind of deals are being made when the extension has a million plus users.

    When pushed for exactly why they wanted to buy the extensions, which are in no way monetizable, they gave vague answers about "user insights". I can guarantee there will be many other major extensions that have sold out their users.

    [1] https://chrome.google.com/webstore/detail/old-reddit-redirec...

    [2] https://chrome.google.com/webstore/detail/break-timer/hklkdb...

    [3] https://chrome.google.com/webstore/detail/reddit-comment-col...

  • by Zren on 7/3/18, 12:23 PM

    I've gotten annoyed enough to just copy the source from most of my extensions (located at `~/.config/google-chrome/Default/Extensions/`), remove the update stuff from the `metadata.json` and load them as developer extensions so they never update.

    It's easy enough to update them + audit the code when something breaks. The hardest part is downloading the new code (.crx) without installing it, I had to write javascript I paste into the console. StackOverflow can unzip a crx by striping the first 306 bytes.

    I forked Stylish v1.5.2 a year ago before I heared of Stylus, but I've no need to to switch since the original extension was pretty good. https://github.com/Zren/chrome-extension-stylish#fork

  • by psergeant on 7/3/18, 7:08 AM

    Offices in the UK. I would encourage anyone in the EU who used this to file a GDPR complaint.
  • by TheCapeGreek on 7/3/18, 7:43 AM

    As others have said, immediately switch to Stylus. While we're at it stop using Ghostery as well since they were bought by an ad company. Use Privacy Badger or a decent alternative (noscript + heavy/custom uBlock lists should work just fine)
  • by mappu on 7/3/18, 6:44 AM

    I discussed this problem (in a bit inflammatory way) last month: https://news.ycombinator.com/item?id=17242003

    It's particularly annoying, because I do have this Stylish extension installed (using css ::after rules to tag HN users)

    EDIT: You can submit an abuse report when uninstalling a Chrome extension.

  • by eastendguy on 7/3/18, 7:30 AM

    This reminds of the "WOT, Web of Trust" (haha) privacy issue in 2016: Reporters (disguising as business men) were offered data that includes the surfing habits of three million German citizens. This data was, at least partly, collected by the “Web of trust” (WOT) browser extensions. The reporters were able to use this data to identify the browsing habits of individual persons – including high-ranking German and EU politicians.

    English: https://ocr.space/blog/2016/11/wot-browser-extension-collect...

  • by dannyw on 7/3/18, 7:34 AM

    Google needs to take action here. From requiring re-confirming permissions every time a significant privacy policy change is made, or just by nuking SimilarWeb altogether from the web App Store.
  • by _fh5n on 7/3/18, 7:29 AM

    It took me less than a minute to install Stylus and import all my userstyles from Stylish.
  • by trio333 on 7/3/18, 7:52 AM

    Always the same cycle.

    1/ New great product is built. People love it.

    2/ Once enough people use it, start monetizing in shady ways, annoying users just not too much or they leave.

    3/ Very annoyed users switch to another product back to 1/

  • by ssivark on 7/3/18, 7:00 AM

    Most browser extensions seem to require access to one's browsing history and keystrokes, even for legitimate functioning. Is there any way to ensure that they do only what they claim to do, and don't abuse the permissions? (Apart from verifying the source code, because clearly, lines of junk code >> interested eyeballs).

    For example, would it be reasonable to enforce that an extension only acts locally, and cannot communicate with any external server? (I guess allowing arbitrary local modifications essentially allows the extension to execute arbitrary javascript code, including communicating with arbitrary remote entities?)

  • by mjgoeke on 7/3/18, 5:34 PM

    For those actively using Stylish and needing to switch:

    '"Stylus" is a fork of the popular Stylish extension which can be used to restyle the web. Not "ish", but "us", as in "us" the actual users. Stylus is a fork of Stylish that is based on the source code of version 1.5.2, which was the most up-to-date version before the original developer stopped working on the project. The objective in creating Stylus was to remove any and all analytics, and return to a more user-friendly UI. We recognize that the ability to transfer your database from Stylish is important, so this is the one and only feature we've implemented from the new version.' [1]

    [1] https://add0n.com/stylus.html and https://github.com/openstyles/stylus

  • by HelenePhisher on 7/3/18, 9:00 AM

    Tampermonkey seems to be a good alternative as well and is available for all major browsers.

    Does anyone have information on if the Safari Stylish Addon does the same shady things? It's available in the official App Store and was approved by Apple it seems.

  • by nailer on 7/3/18, 8:55 AM

  • by roadbeats on 7/3/18, 12:20 PM

    Meanwhile a simple and open source bookmarking extension was taken down with no notice, no information (https://news.ycombinator.com/item?id=17440358).
  • by tripzilch on 7/3/18, 11:22 PM

    Well, shit. I installed this extension a few months ago, because multiple people HN recommended it.

    Tried it out, but found a different way to restyle and adjust sites to my tastes (uBlock and custom Greasemonkey) that I found easier. Then forgot about it.

    And now it turns out this thing has been slurping my Internet history for months.

    No downvotes, nobody calling them on it, just happy oblivious HN users that carelessly install random browser extensions and then recommend them to other people. Urgh.

  • by _bxg1 on 7/3/18, 2:59 PM

    This has been going on for years and Google has done nothing about it. These days I don't use any extensions where a major organization's reputation doesn't depend on them not becoming spyware. Truly a shame; I used to get a lot of benefit out of extensions, including a similar one named Stylebot, but now I don't trust anything other than Adblock Plus and the React Developer Tools to not covertly become malicious.
  • by therealmarv on 7/3/18, 10:33 AM

  • by alexanderby on 7/4/18, 5:22 PM

    Dark Reader (which generates dark themes dynamically) added support for static CSS so that style sheets could be migrated http://darkreader.org/blog/stylish/
  • by mholt on 7/3/18, 1:09 PM

    Dangit - I just installed it yesterday to block Twitter's annoying timeline additions ("So-and-so liked such-and-such") which don't honor the account's word filter/blacklist. Any alternatives out there that are better?
  • by O1111OOO on 7/3/18, 10:02 PM

    10 months ago, I discovered and recommended stylish on a post titled: "Show HN: Make Medium Readable Again"[0]. I have only ever used it for a single site: medium.

    It's times like these I wish I could go back and edit/update an old post with new info. I feel like I got stabbed in the back... which happens way too often in tech these days no matter how careful you are.

    [0] https://news.ycombinator.com/item?id=15123638

  • by fishtopher on 7/3/18, 8:36 AM

    In what is certainly a complete coincidence, the Stylish Firefox extension threw up an "agree to our new TOS 'effective May 22, 2018.'" modal for me today..
  • by aplc0r on 7/4/18, 1:33 AM

    It appears Firefox has already moved on this. Came home today and was warned that Stylish was an unsafe extension, and I can no longer find it listed as an available add-on.
  • by SSchick on 7/3/18, 10:09 AM

    I actually ran into this issue previously when for some reason I got a request on a `hidden` (very cryptic URL listed nowhere) diagnostic endpoint on one of our APIs. I ended up identifying stylish as the culprit, at first I disabled the tracking option (which is opt out and probably violates GDPR), a few weeks later I installed stylus.

    I also reported it around the same time and gave it a 1/5 star rating but google had no interest in the report it seems.

  • by franga2000 on 7/5/18, 9:18 PM

    I've been lucky enough to have never had an extension installed when it was sold, so I don't know that this isn't already the case, but if it isn't, I believe it should be: Whenever an extension changes hands (is transfered to another account), the user should be notified in the same way they would be if it requested new permissions. Along with a rule that accounts are non-transferable, of course.
  • by lifthrasiir on 7/3/18, 6:29 AM

    tl;dr: Use Stylus [1]. Use Stylus. Use Stylus.

    I guess there should be an addon that notifies users for any ownership changes to browser addons they use. Or is there?

    [1] https://github.com/openstyles/stylus

  • by captn3m0 on 7/3/18, 7:57 PM

    Found same issue with Pricee the other day, not sure how to report: https://addons.mozilla.org/en-US/firefox/addon/pricee-search...
  • by Sephr on 7/3/18, 9:33 PM

    The culprit in question tried to do the same thing to a Voice Search Chrome extension in the past[1].

    [1] https://twitter.com/sephr/status/1014240895095300096

  • by stratigos on 7/9/18, 5:59 PM

    Ugh! After so many years, I now have to view a white-themed internet again. I forgot how painful and blindy websites are!

    Pls redesign the whole internet to be dark themed, so we dont need add ons like this to fix the world. Thanks!

  • by garganzol on 7/3/18, 9:54 AM

    So it boils down to trust anyway. No way a code signing certificate can impose that trust. At the end of the day, it all goes back to human stance towards other beings in this world and own dignity.
  • by Bromskloss on 7/5/18, 10:10 PM

    Since "youtube-dl does not include support for services that specialize in infringing copyright", is there a fork, or addition, without this restriction?
  • by kup0 on 7/6/18, 1:20 PM

    Is there an alternative to userstyles.org for hosting styles? That site is run by the Stylish folks, and I have removed my account and styles from it.
  • by yuber on 7/6/18, 11:08 AM

    I wonder if Stylish is also able to data-mine the websites you visited while in incognito mode, since extensions don't work there.

    Does anybody have an idea?

  • by eurticket on 7/3/18, 11:14 AM

    Is there a system in place to update everyone on new ownership changes and implementation of anti user-good practices like this?
  • by seba_dos1 on 7/3/18, 1:35 PM

    Isn't it a common knowledge? People were massively switching to Stylus long time ago.
  • by pdimitar on 7/3/18, 2:12 PM

    Sadly Stylus is not in the Safari's plugins store.

    Any alternatives for Mac users?

  • by ccnafr on 7/3/18, 8:40 AM

    It's not actually stealing if it's in the ToS, is it?
  • by akerro on 7/3/18, 7:53 AM

    Dont google and mozilla review source code of addons?
  • by sahin-boydas on 7/4/18, 8:10 PM

    Are There any response from Stylish developer?
  • by IngvarLynn on 7/3/18, 2:39 PM

    "OneTab" is another popular extension with the same issue. Switched to ff+"tabs aside" since then.