PSA: "Stylish" browser add-on steals your internet history July 3, 2018 7:33 PM   Subscribe

The popular "Stylish" browser extension, which allows you to download custom styles for a given site (such as making text more readable, removing UI cruft, or adding a professional white background), has been silently logging its users web activity for the last year and a half. The new owners of the add-on at the time, SimilarWeb, offer products including “Market Solutions To See All Your Competitors’ Traffic.”

While the data is supposedly anonymized, many URLs can be trivially de-anonymized, especially when linked to your cookies on popular sites for downloadable styles, or even just from data in the pages you're visiting such as login or password reset tokens.

Mozilla has removed Stylish from its add-on catalog, but as of this writing it is still available on the Chrome store, and neither is likely to automatically disable or remove the add-on even for your protection.

Alternatives exist, including a fork of the pre-spyware Stylish called "Stylus" for Firefox or Chrome.

However, this is likely an important lesson about the security risks of custom browser extensions... even those originally developed with good intentions can be acquired by people with more sinister and/or incompetent security practices.
posted by Riki tiki to MetaFilter-Related at 7:33 PM (14 comments total) 9 users marked this as a favorite

oh well then i hope they like mchanzo porn
posted by poffin boffin at 7:38 PM on July 3 [13 favorites]


Now that I don't have the higher-contrast style applied automatically, I feel like MetaFilter has been reset to its retail settings with the brightness and tint turned to maximum. :(
posted by Riki tiki at 7:45 PM on July 3


Thank you for letting us know about this!
posted by lalex at 8:16 PM on July 3 [2 favorites]


I was about to make a post on the blue about this when work got busy! The author of uBlock Origin (gorhil) wrote about this a year ago. The user info is correlated with a unique ID, so SimilarWeb can build a complete profile of you with this stuff.
posted by Jpfed at 8:50 PM on July 3 [1 favorite]


Thanks, Riki tiki - wow I didn't realize Stylish had been sold off last year. Do you (or anyone else) know if the logging has been happening even if the browser extension option for "Send anonymous data to Stylish developers" was disabled? I did a quick search and didn't find anything so far.

Disabled Stylish in my browsers and installed Stylus instead. Another incentive to copy my user styles over to the MeFiScripts github.
posted by rangefinder 1.4 at 8:50 PM on July 3 [2 favorites]


If you opt out, it doesn't send your data to SimilarWeb. At least, last time someone checked...
posted by Jpfed at 8:54 PM on July 3 [1 favorite]


I feel like this could be moved to the blue, for the sake of visibility, and discussion. (Which is to say it's a good post and I think a lot of people would be interested.)
posted by shapes that haunt the dusk at 10:49 PM on July 3 [11 favorites]


Don't know if it's worth a separate PSA, but 500px -- originally billed as "Flickr's replacement" and one of the external profile options you can select for your personal profile -- was recently bought by a China-based entity, is radically changing its copyright options with literally no notice, removing all Creative Commons-licensed material and eliminating the 500px Marketplace, with anything remaining being used by Getty Images. Jason Scott and the Archive Team have slurped up as much of the CC-licensed photos as they can to save them.
posted by WCityMike at 12:24 AM on July 4 [1 favorite]


Yup, I'm not a 500px user but I've been following that drama for a little while. Users are not happy about it. Interestingly, with the purchase by Smugmug (who seem to know what they have and want to do well by their users) it turns out that Flickr's replacement is probably Flickr.
posted by Anticipation Of A New Lover's Arrival, The at 5:28 AM on July 4 [1 favorite]


I'm with shapes that haunt the dusk. This really belongs on the blue. Thanks Riki tiiki for the heads-up.
posted by 4ster at 11:32 AM on July 4


> Mozilla has removed Stylish from its add-on catalog, but as of this writing it is still available on the Chrome store, and neither is likely to automatically disable or remove the add-on even for your protection.

The lastest update to Firefox auto-disables Stylish 3.1.x. There are ways to recover your userstyles from your Firefox user profile, but the recommended workflow will lead you to a file that might be over a year old. To fetch the latest version, you have to do some digging through JSON files in Profiles/[your profile]/browser-extension-data.
posted by ardgedee at 5:37 PM on July 4


For Safari, the recommended Stylish replacement is Freestyler, with the caveat that it's not as robust, and uses its own styles repository rather than userstyles.org. Freestyler's UI is a pretty dramatic rearrangement but mostly works the same as Stylish does.

On the upside, it looks like Stylish's new owner has ignored Safari entirely; it's still on version 2.0.8, which is pre-takeover. So I'm not certain whether Stylish for Safari needs to be replaced. I've installed Freestyler and copied the rules, but disabled it. Sticking with Stylish for the time being and keeping Freestyler as a backup utility.
posted by ardgedee at 6:00 PM on July 4 [1 favorite]


Hey thank you -- I was wondering what the warning was this morning.
posted by jessamyn (retired) at 5:24 AM on July 5


Posted it.
posted by Jpfed at 7:08 AM on July 5 [1 favorite]


« Older Argument clinic: arguing without fighting   |   Positive Masculinity on the Blue Newer »

You are not logged in, either login or create an account to post comments