Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

7/6/2018
08:05 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Google, Firefox Pull Stylish After Report Shows How Data Is Collected

A security researcher showed how the Stylish browser extension sent personal data and search results back to the parent company, and this forced Mozilla and Google to yank it off their stores.

It started out as a way to make the Internet look the way you wished it to. But it ended up spying on what you were doing on it, and sending the information to a marketing company.

Welcome to 2018.

The Stylish Chrome and Firefox browser extension gave users a way to change how they viewed sites. They had user-made skins that would give bright websites a dark background, could undo user-disliked UI changes, and or even add graphics to please the user's sensibilities. It even had a CSS editor that could remove unwanted parts of a page.

A user could change things around to the way they wanted things to look.

The Google Chrome page for Stylish before it was pulled\r\n(Source: Google)\r\n
The Google Chrome page for Stylish before it was pulled
\r\n(Source: Google)\r\n

But since January 2017, the websites visited by the 2 million users of the extension have been recorded. The original owner and creator of Stylish sold it in August 2016 to someone that resold it to SimilarWeb. The intent of SimilarWeb has not exactly been a secret. But the exact way the company was going to do things has not been clear.

However, security researcher Robert Heaton stumbled upon what the extension was actually doing, and started to yell rather loudly. He found that all of the URLs of accessed pages were being sent to the company, including the full results of Google searches.

As Heaton put it:

The SimilarWeb family's promotional literature lists "Market Solutions To See All Your Competitors' Traffic" amongst its interests. I'm starting to feel like I might have become the product. I understand that it probably isn't SimilarWeb company policy to threaten to show their users' browsing history to their mothers and rabbis unless they hand over a big pile of cash. But it wasn't Equifax company policy to lose all those Social Security Numbers either.

This led to Mozilla taking active blocking against the extension.

Mozilla software engineer Andreas Wagner wrote in the bug report : "We decided to block [Stylish] because of violation of data practices outlined in the review policy." Another user noted that "it will be disabled, not removed. Users will get a warning though with a request to (optionally) restart the browser."


Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

Also, the Stylish Firefox add-on page has been removed.

The Stylish Chrome Web Store page currently gives a "404" error, so they have taken action as well.

There is an open source alternative named Stylus that can do most of what Stylish could do. "It is a fork of Stylish that is based on the source code of version 1.5.2, which was the most up-to-date version before the original developer stopped working on the project," according to Stylus.

It's available for Chrome, Firefox and Opera browsers.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41182
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now t...
CVE-2021-41183
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now al...
CVE-2021-41184
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a...
CVE-2021-41185
PUBLISHED: 2021-10-26
Mycodo is an environmental monitoring and regulation system. An exploit in versions prior to 8.12.7 allows anyone with access to endpoints to download files outside the intended directory. A patch has been applied and a release made. Users should upgrade to version 8.12.7. As a workaround, users may...
CVE-2021-41188
PUBLISHED: 2021-10-26
Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cro...