Stylish extension banned for tracking site visits
Stylish, an extension for Chrome, Firefox and Opera browsers has just been banned for tracking users and sending their browser data to remote servers. This popular extension had more than 2 million downloads before it was pulled by Mozilla, Google, and Opera.
With the Stylish extension, users were able to customize the look and feel of various websites within their browser. Some of the features include changing black on white to white on black site themes, changing normal pictures to black and white or removing Facebook and Twitter news feeds.
According to software engineer Robert Heaton, back in January 2017, this extension started collecting browser activity data and sending it back to its servers. Collected user data contained unique identifiers that could be used to link email addresses or other attributes with users.
Heaton discovered the tracking code with a Burp Suite, a comprehensive security testing tool mainly used to identify vulnerabilities affecting web applications. He found that Stylish extension was sending a large amount of obfuscated data to userstyles.org that was a site from the new Stylish owner. After Heaton has decoded the data that was sent to remote servers he discovered that Stylish was collecting Google Search results along with the history of visited URL’s.
According to Heaton, Stylish has been collecting the browser history from Chrome users since January 2017, while Firefox users were started being tracked only a couple of months later, since March 2017. Even though the data collection was disclosed in the privacy notice, it hasn’t caught much attention by Mozilla, Opera, and Google, along with the two million users that were using Stylish extension.
This event reminds us that Browser makers don’t do a detailed check of extensions they host in their stores and that we should pay more attention before using them.