Sophos Cloud Optix
One minute that favourite browser plug-in is your friend, the next it’s quietly turned into a privacy disaster that’s profiling your browsing in the most intimate way possible.
Browser makers should be on top of this phenomenon and yet, here we are reporting on the latest example, this time spotted by software engineer Robert Heaton.
He’d been using a Chrome and Firefox extension called Stylish for years to re-skin websites and hide their “distracting parts” such as Facebook and Twitter feeds. (Safari and Opera versions are also available.)
Usefully, it even:
Added manga pictures to everything that wasn’t a manga picture already.
Not hard to see why Heaton and two million others might want to use it then.
Unbeknownst to him, however, in January 2017 the extension was sold to new owners, SimilarWeb, who changed its privacy policy – and outlook.
This came to his attention when he noticed Stylish had started sending obfuscated data back to its website as part of what looked like data gathering.
Sure enough, after more research:
When I looked at the contents of the decoded payload, I realized that Stylish was exfiltrating all my browsing data.
From inside his browser, Stylish could monitor every website he visited. Worse, because Heaton had an account login for the extension, it could relate his activity to his identity.
Stylish and SimilarWeb still have all the data they need to connect a real-world identity to a browsing history, should they or a hacker choose to.
Extensions getting new owners and undesirable, unexpected behaviour isn’t a new business model, and this particular change wasn’t exactly a secret because (as Heaton readily admits) the change of ownership and its implications was widely reported at the time in the tech press.
Unaccountably, it seems browser makers didn’t pick up on the implications of the change in ownership, which is why Mozilla has this week abruptly removed it from its list of Firefox Add-Ons, writing:
We decided to block because of violation of data practises outlined in the review policy.
Given that the Stylish page on Chrome’s extensions listing returns a 404 error, it seems that Google, too, has had second thoughts, closely followed by the same for Opera.
Of course, none of this will help the two million users who already run the extension and aren’t aware that it changed.
Well I do get an elert when enabling any extension in my browser to allow in private mode that the extension can still track websites even in private mode.
I guess some people still don’t read prompts.
You had my heart a throbbin’ until I checked… I use ***Stylus*** for the similar reasons.
There’s almost always a catch with any reskinning tool I just avoid them
On Chrome, it actually disables the extension on users browsers if the extension gets pulled from the store for policy violations.
Firefox does the same thing.
In addition, extensions which tried to push their luck and got caught (like Web of Trust, who started to get a bit too greedy), and then scaled things back a notch now display a warning in the extensions menu and on install (like Web of Trust, whose extension now only seems to send the data they actually need, but I, and many others, have already lost my Trust in them, as they’ve stained their reputation with the stunt they tried to pull).
Chrome and Firefox pull history-stealing browser extension having said that, what other browsers are stealing our data and how can we trust them not to do it some other way and what protection does the public have to guard against this sort of thing in the future.