Chrome, Firefox pull very unstylish Stylish invasive browser plugin
Add-on made sites look pretty while getting away with ugly data slurpage
Firefox and Chrome have removed a browser extension from their stores following revelations it was phoning home with users' web-surfing histories.
The "Stylish" plug-in gained popularity because it let users configure sites' appearance, rather than accepting the designers' decisions.
However – stop us if you've heard this one before – the code changed hands last year and the new owners expanded its data slurping activities.
Software engineer Robert Heaton decided to take a look at what was being sent to Stylish's owners, analytics company SimilarWeb, and was horrified.
As Heaton blogged, “HTTP requests that send a large blob of obfuscated data to a URL ending in /stats are almost never good news for users.”
“I looked closer at the decoded payload and noted a unique tracking identifier”, he wrote, adding “it only takes one tracking request containing one session cookie to permanently associate a user account with a Stylish tracking identifier. This means that Stylish and SimilarWeb still have all the data they need to connect a real-world identity to a browsing history, should they or a hacker choose to.”
Mozilla's add-on assessors decided Stylish, as it now stands, is out of line and made the extension unavailable to Firefox users (although it requires manual removal for current users).
A post from Andreas Wagner was blunt about the reason: “We decided to block because of violation of data practises outlined in the review policy.”
Still popular after it's gone
As you can see above, Stylish was popular enough to be a front-page search result for “Chrome extensions”, but it's now gone from the Google extensions store.
The Register asked SimilarWeb for comment. ®
PS: There is an open-source fork of Stylish sans analytics and tracking – Stylus.
Sponsored: Becoming a Pragmatic Security Leader