"Stylish" browser extension steals all your internet history

[tao]

Before it became a covert surveillance tool disguised as an outstanding browser extension, Stylish really was an outstanding browser extension. It bestowed upon its users nothing less than the power to change the appearance of the internet. Its extensive bank of user-made skins gave bright websites a dark background, undid disliked UI changes, and added manga pictures to everything that wasn’t a manga picture already. I spent many wonderful hours in its simple CSS editor, hiding the distracting parts of the web whilst unknowingly being spied on. Facebook news feed - gone. Twitter news feed - gone. Personal browsing history - gone. Quality of life and unexplained ennui - up and down respectively.

 

 

Unfortunately, since January 2017, Stylish has been augmented with bonus spyware that records every single website that I and its 2 million other users visit. Stylish sends our complete browsing activity back to its servers, together with a unique identifier. This allows it’s new owner, SimilarWeb, to connect all of an individual’s actions into a single profile. And for users like me who have created a Stylish account on userstyles.org, this unique identifier can easily be linked to a login cookie. This means that not only does SimilarWeb own a copy of our complete browsing histories, they also own enough other data to theoretically tie these histories to email addresses and real-world identities.

 

Stylish’s transition from visual Valhalla to privacy Chernobyl began when the original owner and creator of Stylish sold it in August 2016.

 

In January 2017 the new owner sold it again, announcing that “Stylish is now part of the SimilarWeb family”. The SimilarWeb family’s promotional literature lists “Market Solutions To See All Your Competitors’ Traffic” amongst its interests. I’m starting to feel like I might have become the product. I understand that it probably isn’t SimilarWeb company policy to threaten to show their users’ browsing history to their mothers and rabbis unless they hand over a big pile of cash. But it wasn’t Equifax company policy to lose all those Social Security Numbers either.

Why this is dangerous

The SimilarWeb Privacy Policy says that they only collect “non-personal” data, and I assume that this is technically true. But accidents happen. When you unwittingly entrust your personal data to a company like SimilarWeb, not only do you have to hope that they have no actively evil intentions (besides those listed on their pricing page). You also have to hope that they have good data access controls, no rogue employees, and strong enough security to prevent the theft of all their data (formerly your data). Worse, even the filching of a nominally anonymized list of URLs has significant privacy and security implications. De-anonymization using IP addresses and the specifics of a user’s browsing history is often straightforward. Who do you think that person visiting https://www.linkedin.com/in/robertjheaton/edit might be?

 

Single URLs with no additional context can be very sensitive too. For example, some websites use URLs containing special authentication tokens to log their users in automatically when they click a link in an email. When a user clicks on a link like mysocialnetwork.com/inbox?login_token=fsdj80d...etc..., the website uses the long, secret login_token in the URL as an alternative password, and logs the user into their account. This is a risky but sometimes defensible practice that relies on login tokens staying secret and unguessable. However, since they are part of the URL, Stylish happily records them and sends them back to the SimilarWeb servers. Their databases presumably contain secondary login credentials for user accounts on any number of other services.

 

Sensitive URLs crop up elsewhere too. My online medical provider shows me my medical documents using secret, 1000-character long URLs (generated by Amazon S3) that expire within a minute or so. For these pages, no login authentication beyond simply knowing the URL is required. Anyone who guessed the authentication token in the URL before it expired would be able to view and download my medical documents. In my opinion this is not best practice on the part of my online medical provider’s engineering team. But the real world is full of things that are not best practice, and no conventional attacker is actually going to be able to guess a 1000-character long URL within a minute. Stylish makes life easier for them by harvesting the whole thing and recording it in their database. Now this stupid advertising company also owns pointers to my medical records. I really hope they never get hacked.

 

Most prevalently, many websites use URL tokens to allow users to reset a forgotten password. When a user clicks on the “Forgot Your Password?” button, the website sends them an email containing a special link. This link points to a long URL that looks something like mysocialnetwork.com/password-reset?reset_token=a3dJ3...etc.... When the user clicks on it, the website reads the reset_token, looks up the corresponding user, and allows them to safely reset their password. However, if an attacker were able to intercept these URLs and complete the password-reset process before the real user, they would gain total control over the account.

 

Once again, Stylish hoovers up these password-reset URLs, taking its users’ privacy and security into its own hands.

See for yourself

Even though Stylish’s new snooping functionality has been public knowledge since the SimilarWeb announcement, I only discovered it last week whilst doing some unrelated work on a different website. It was like catching my favorite uncle picking his nose and eating it and stealing my passport. On the other hand, I never paid my uncle for any of the nice things he did for me, so what did I expect?

 

Whilst looking at Burp Suite, I noticed a large number of strange-looking requests going to api.userstyles.org.

 

 

HTTP requests that send a large blob of obfuscated data to a URL ending in /stats are almost never good news for users. I noticed that the data blob contained only letters and numbers and ended in %3D, the URL encoding for an = sign. This made me suspect that the blob had been Base64 encoded. I tried Base64 decoding it:

 

 

Still nonsense. But the decoded string also contained only letters and numbers, and also ended in an = sign. I tried Base64 decoding it a second time:

 

 

Pyrrhic victory. When I looked at the contents of the decoded payload, I realized that Stylish was exfiltrating all my browsing data. I Googled “stylish spyware” and found lots of shops selling fashionable espionage gear. I also found plenty of articles confirming that Stylish were up to no good.

 

I looked closer at the decoded payload and noted a unique tracking identifier. I remembered that I had signed up for a Stylish account in order to share some of my distraction-hiding skins with the world. I wondered whether my session cookie would get appended to Stylish’s tracking requests if I logged in to userstyles.org.

 

Of course, it did. Stylish’s session cookie is scoped to *.userstyles.org, so it gets sent to every userstyles.org sub-domain as well. To Stylish’s very partial credit, the cookie is set to be very short-lived, and expires as soon as the browser is closed. This means that it is not appended to every tracking request - only the ones sent after the user logs in to userstyles.org but before they next close the browser. However, it only takes one tracking request containing one session cookie to permanently associate a user account with a Stylish tracking identifier. This means that Stylish and SimilarWeb still have all the data they need to connect a real-world identity to a browsing history, should they or a hacker choose to.

Conclusion

It’s not news that browser extensions can be a security nightmare. It’s not even enough to trust an extension’s current, benevolent owner. Even the benevolent have to make a buck eventually, and quiet sales to organizations like SimpleWeb are not uncommon. SimilarWeb claims that they need to track every single website Stylish’s users visit in order to recommend them styles for the current webpage. This is a solution in search of a flimsy justification. If this were all they were doing then they would only need to send themselves the current page’s domain, not the full URL. And it doesn’t even begin to explain why they also need to scrape and send themselves your actual Google search results from your browser window.

 

 

There’s a check box in the Stylish control panel that claims to disable tracking, although SimilarWeb helpfully enable it by default. It does appear to work, at least until the next change to Stylish’s 2,000-word privacy policy or 3,000-word Terms and Conditions. However, Stylish is no longer a well-meaning product with your best interests at heart. If you use and like Stylish, please uninstall it and switch to an alternative like Stylus, an offshoot from the good old version of Stylish that works in much the same way, minus the spyware.

 

< Here >

[vissha]

A new report suggests that the popular Stylish add-on for Google Chrome and Mozilla Firefox leaks all browsing data and more to the parent company.

 

The Stylish add-on and the linked userstyles.org repository for website styles changed ownership twice in the past years. The original owner sold Stylish back in October 2016 and the new owners of Stylish sold it again to the current owner SimilarWeb.

 

Stylish is a handy extension that you can use to apply custom CSS to websites. You may use it to change colors, remove elements, or add elements to sites to adjust them to your liking. You can remove advertisement, the comment section on YouTube, or turn Google Search's white background into something more eye pleasing.

Stylish collecting browsing data

The switch to the new owner of Stylish had massive privacy implications. SimilarWeb is known for its analytics offerings and it appears that the company collects browsing data from Stylish.

 

 

Users who install Stylish are automatically opted-in to sending anonymous data to Stylish. Stylish does include an option to opt-out of that in the extension options.

Back in 2017 we mentioned that it is unclear what data gets collected by the extension as it is not made clear in the privacy policy.

 

Robert Heaton analyzed Stylish's data collecting recently and discovered that the extension sends a user's complete browsing history back to Stylish servers. The data is linked to a unique identifier so that all of a user's browsing history can be linked together.

 

It is even worse for users who have an account on userstyles.org, a property owned by SimilarWeb, as Similarweb could link accounts to the browsing history.

 

Even if that is not the case, it is problematic even if SimilarWeb claims that it collects anonymized data only. One of the cases where this is problematic is when sites add information to the URL directly. Heaton mentions URLs that contain profile names, tokens, and URLs that use obscurity to protect data from third-parties.

 

Stylish makes a number of connections to api.userstyles.org whenever you connect to web resources. While you could think that this is done to return existing userstyles for these web resources, Stylish does transmit more information than it needs to for that functionality.

 

Heaton discovered that Stylish was transmitting obfuscated data to the userstyles address. He managed to decrypt it to find out that Stylish was submitting all browsing data to company servers. In other words, Stylish submits the full URL of any site you open in the browser the extension is installed in and Google search results as well.

 

SimilarWeb highlights what it collects in the extension's privacy policy:

From the Stylish desktop browser extension:

Standard web server log information (i.e., web request) as well as data sent in response to that request, such as URL used, Internet Protocol address (trimmed and hashed for anonymization), TabID, HTTP referrer, and user agent; and
Search engine results page data (keyword, order/index of results, links of results, title, description, and ads displayed).

From the Stylish mobile app:

Standard web server log information (i.e., web request) as well as data sent in response to that request, such as URL used, Internet Protocol address (trimmed and hashed for anonymization), HTTP referrer, and user agent;
Search engine results page data (keyword, order/index of results, links of results, title, description, and ads displayed);
Device ID (anonymized and/or de-identified using irreversible encryption and/or hashing);
Browser type, operating system and Mobile Network Code;
Device model name, device screen size and whether the device is rooted;
All web connections; and
Information regarding installed applications and their use (names, app IDs, versions of installed apps, installation and update dates, whether they are system apps, which apps are used, duration of use, whether the apps are on the home page);

If you use Stylish, at the very least disable the collecting of data in the extension settings.

Alternatives?

We reviewed Stylus in 2017 which is a fork of Stylish that does not include the analytics component. You can install the extension and use it to load userstyles.

You may also use Chrome's overrides tool to make permanent changes directly to websites.

 

Now You: do you use Stylish?

 

Source

[Dodel]

GDPR, nothing but good news, surely ?

[steven36]

Alternatives 

Stylus

Homepage

https://github.com/openstyles/stylus

 

Firefox

https://addons.mozilla.org/en-US/firefox/addon/styl-us/

 

Chrome

https://chrome.google.com/webstore/detail/stylus/clngdbkpkpeebahjckkjfobafhncgmne

 

Quote

Privacy Policy
Unlike other similar extensions, we don't find you to be all that interesting. Your questionable browsing history should remain between you and the NSA. Stylus collects nothing. Period.

 

 

xStyle

 

Homepage

https://github.com/FirefoxBar/xStyle

 

Firefox

https://addons.mozilla.org/en-US/firefox/addon/xstyle/

 

Chrome

https://chrome.google.com/webstore/detail/xstyle/hncgkmhphmncjohllpoleelnibpmccpj

 

Quote

xStyle is based on the source code of Stylish-for-Chrome 1.7.0.
xStyle has better user interface, and compatible with the latest firefox nightly.
We do not collect any user data, no matter what it is used for.

 

[Archanus]

Happily I didn't install it in the past  I almost installed it, but then I didn't want to  

[Archanus]

As I said in other post  In the past I would install it, but then I didn't want to jaja  Wow, I saved myself jaja

[anuraag]

Topic merged.