“Stylish” extension with 2M downloads banned for tracking every site visit

Google, Mozilla, and Opera have pulled a browser extension with more than two million downloads after it was caught tracking every website its users visited—and sending the data to a remote server.

The Stylish extension allowed users to customize the look and feel of websites in a variety of ways. Among other things, it could remove clutter such as Facebook or Twitter news feeds, change normal pictures to black-and-white manga images, and change black-on-white site themes to white-on-black themes. Starting this year, Stylish started performing these useful functions at a high price: according to software engineer Robert Heaton, the extension started sending users’ complete browsing activity back to its servers by default, along with a unique identifier that in many cases could be used to correlate email addresses or other Internet attributes belonging to those users.

An updated Stylish privacy policy disclosed that the extension collected browsing histories. The version published in May, for instance, said that the information included “standard web server log information (i.e., web request) as well as data sent in response to that request, such as URL used, Internet Protocol address (trimmed and hashed for anonymization), HTTP referrer, and user agent.” Various articles from January, 2017, also noted the tracking but, citing a new owner of the extension, these articles said it would be anonymous. (This despite the fact that many URLs, particularly when stored in large quantities over a long period of time, can make it painfully obvious which individual is viewing them.)

Heaton used a security-testing tool called Burp Suite to analyze precisely what Stylish was doing. He found that it sent a large amount of obfuscated data to userstyles.org, a website under the control of the new Stylish owner. Heaton quickly figured out how to decode the data and discovered it contained an alarming amount detail, including every URL he visited, the actual Google search results from his browser window, and by default a unique identifier (although that can be removed by changing a setting).

Heaton said Stylish has been collecting the browser histories from Chrome users since January, 2017, and from Firefox users since March. Even though the collection was disclosed, it largely escaped the notice of Google, Mozilla, and Opera—not to mention more than two million end users—until Heaton documented it. Officials with Stylish didn’t immediately respond to a request to comment for this post.

The episode is the latest reminder that browser extensions come at a cost, both in terms of the data they may collect and the increased attack surface they may provide for hackers. The event makes clear that browser makers apply minimal scrutiny to the extensions they host. Security-conscious users should use extensions sparingly, especially for those that offer minimal benefit. For those users who want to disregard this advice and use an extension that offers the same features as Stylish, Heaton recommends Stylus.