Google and Mozilla have suddenly removed Stylish browser extension from their stores. The open-source extension that allows users to personalise the appearance of a webpage is allegedly capturing user history that could be used by its owner SimilarWeb to identify users. While neither Google nor Mozilla has detailed the malicious behaviour of the extension that has close to two million users, software engineer Robert Heaton posted a blog post to detail the alleged security loophole that has been existed since January 2017. This was the time when SimilarWeb released a new policy.
Heaton in his post claims that the Stylish extension “steals all your Internet history” and sends browsing activity along with a unique identifier directly to SimilarWeb’s servers. “Stylish sends our complete browsing activity back to its servers, together with a unique identifier,” the engineer explains. “This allows its new owner, SimilarWeb, to connect all of an individual’s actions into a single profile. And for users like me who have created a Stylish account on userstyles.org, this unique identifier can easily be linked to a login cookie. This means that not only does SimilarWeb own a copy of our complete browsing histories, they also own enough other data to theoretically tie these histories to email addresses and real-world identities.”
As per the formal policy that was introduced in January 2017 – months after Israel-based SimilarWeb bought Stylish in October 2016, the extension collects anonymous data. However, Heaton points out that the same extension attaches the identifier to the collected data and sends it to SimilarWeb’s servers for further use. “[I]t only takes one tracking request containing one session cookie to permanently associate a user account with a Stylish tracking identifier,” he writes. “This means that Stylish and SimilarWeb still have all the data they need to connect a real-world identity to a browsing history, should they or a hacker choose to.”
As quoted by ZDNet, SimilarWeb refuted the allegation and said, “We are not aware of and cannot determine the identity of the users from whom the non-personal information is collected.”
Having said that, it appears that Google and Mozilla are aware of the development and thus removed the extension that offers a CSS editor to let users easily personalise any Web page with their custom effects.
Mozilla reportedly removed the Stylish extension from its Firefox Add-ons store this week. “We decided to block because of violation of data practices outlined in the review policy,” Mozilla software engineer Andreas Wagner wrote in response to a bug report raised by a Firefox user.
Contrary to Mozilla, Google didn’t clarify its move through a public announcement at the time of filing this story, however, the link to the Stylish extension listing on the Chrome Web Store was returning to a 404 page.
Users that are already using Stylish on their Web browsers are no longer be able to use its features. The suspicious extension hasn’t been removed from the browsers, though. Moreover, a warning will be posted to users to restart their browser after which they are not likely to be able to reinstall Stylish.