Chrome and Firefox pull history-stealing browser extension

One minute that favourite browser plug-in is your friend, the next it’s quietly turned into a privacy disaster that’s profiling your browsing in the most intimate way possible.

Browser makers should be on top of this phenomenon and yet, here we are reporting on the latest example, this time spotted by software engineer Robert Heaton.

He’d been using a Chrome and Firefox extension called Stylish for years to re-skin websites and hide their “distracting parts” such as Facebook and Twitter feeds. (Safari and Opera versions are also available.)

Usefully, it even:

Added manga pictures to everything that wasn’t a manga picture already.

Not hard to see why Heaton and two million others might want to use it then.

Unbeknownst to him, however, in January 2017 the extension was sold to new owners, SimilarWeb, who changed its privacy policy – and outlook.

This came to his attention when he noticed Stylish had started sending obfuscated data back to its website as part of what looked like data gathering.

Sure enough, after more research:

When I looked at the contents of the decoded payload, I realized that Stylish was exfiltrating all my browsing data.

From inside his browser, Stylish could monitor every website he visited. Worse, because Heaton had an account login for the extension, it could relate his activity to his identity.

Stylish and SimilarWeb still have all the data they need to connect a real-world identity to a browsing history, should they or a hacker choose to.

Extensions getting new owners and undesirable, unexpected behaviour isn’t a new business model, and this particular change wasn’t exactly a secret because (as Heaton readily admits) the change of ownership and its implications was widely reported at the time in the tech press.

Unaccountably, it seems browser makers didn’t pick up on the implications of the change in ownership, which is why Mozilla has this week abruptly removed it from its list of Firefox Add-Ons, writing:

We decided to block because of violation of data practises outlined in the review policy.

Given that the Stylish page on Chrome’s extensions listing returns a 404 error, it seems that Google, too, has had second thoughts, closely followed by the same for Opera.

Of course, none of this will help the two million users who already run the extension and aren’t aware that it changed.