Stylish addon becoming trackingware
Posted: Fri Jan 06, 2017 5:34 am
FlashGotters and NoScripters of all lands, unite!
yes_noscript wrote:It already exist a alternative:
GµårÐïåñ wrote:Never used it much when it was legit and I doubt it will affect me now. I chose years ago to use GM or TM to achieve it on either Mozilla or Chromium/Safari/Opera rather than using their implementation. The biggest challenge was keeping the "framework" consistent so the behavior and function is the same on either platform - that was pretty much accomplished years ago.
Thrawn wrote:Is it really urgent to drop this? Supposedly you can just switch the tracking off.
Thrawn wrote:The author might just be selling out, but he also might legitimately think that the partnership he's signed up for is benign and worthwhile. [...] If you don't trust him at all, that's OK, but
> As far as tracking is concerned, anonymous information like which styles get installed or which sites visited get collected.
Sounds like "tracking browsing history" in so much words. I installed Stylish (v 1.6.3) from the Chrome store to investigate. I did not install any user styles. I went to the front page of Hacker News, and the Network tab in the dev tools of Stylish showed a POST to "https ://api.userstyles.org/tic/stats" (I added a space in URL to prevent URL parsing). I randomly clicked on a link on the page and another POST was made to "api .userstyles.org". I manually entered the URL of the page here in a new tab and another POST was made to "api .userstyles.org".
I then looked at the data sent in the POST. It is a two-pass base64 encoded data, and the data sent is as follow:
pxe=[a unique identifier reused for each page visited]
Notice the unique id (pxe) and the browsing data, i.e. the URLs navigated to (gp) and from (ver).
So yes, Stylish can now build a profile of your browsing history. The two-pass encoded base64 is something I have seen elsewhere in other such extensions with tracking ability, for example with Web of Trust and Popup Blocker. There is no other purpose than a silly attempt at obfuscating what it is doing. Any rationale to explain this attempt at obfuscation will be pure BS (there is no valid reason AT ALL to encode twice base64 -- so the only explanation left is "let's not make it *too* obvious what we are sending").
When I un-checked the option "Send anonymous data to Stylish developers for determining user counts", the extension ceased to send the browsing history.
It must be noted that the information sent is by no mean anonymous, because of the unique user id in each POSTed request, and on top of this by sending data to "api .userstyles.org" server, the server will be able to match your IP with the data sent (your browsing history). But regardless, even if using a VPN, the POSTed data still identify you through the unique id (very bad -- defeats the purpose of using a VPN as a mean to enhance anonymity).
The manifest shows that the extension contains hook for Google Analytics (this fulfills the "user counts" explanation). However I see a "object-src 'self'" content security policy, and I question this: this gives the extensions the ability to embed plugins in its own code, though through a quick glance I can't see any file as of now in the extension itself which could be loaded as a plugin.
> This information powers some of the extension's functionality such as the ability to reveal styles to users when they visit sites in the browser
So things to keep in mind if you are eager to believe the above explanation from Stylish representative:
- the attempt at obfuscation (no valid reasons whatsoever).
- the unique id "appUniqueId" (no valid reasons whatsoever).
- the full URL visited (could be just the hostname and only on 1st visit + possibly a user-initiated update manifest in case new user styles become available for a specific site already visited.)
- the full referrer URL (no valid reasons whatsoever).
All these are not necessary for the official stated goal -- and of course the worst is that the claim that the data is anonymous is false. If the will to not collect browsing history was really genuine, the extension would have been written in a very different way to accomplish the stated goal.
My advice is if you *really* need that extension, disable the option to send supposedly anonymous data -- so far, as of writing, it seems it does what it says. Unfortunately as is too often the case, the default is not pro-user i.e. not opt-in so a lot of people will end up having their browsing history collated (even if using a VPN).
Giorgio Maone wrote:AFAIK the new nosy version has already been rejected for the reason above.
barbaz wrote:I already disable automatic updating of all add-ons, so I'll just be sure to do a diff of the code when/if the next update becomes available.