Stylish addon becoming trackingware

General discussion about web technology.
barbaz
Senior Member
Posts: 8837
Joined: Sat Aug 03, 2013 5:45 pm

Stylish addon becoming trackingware

Post by barbaz » Fri Jan 06, 2017 5:34 am

*Always* check the changelogs BEFORE updating that important software!
-

yes_noscript

Re: Stylish addon becoming trackingware

Post by yes_noscript » Fri Jan 06, 2017 9:37 am

No need for fork. It already exist a alternative: https://addons.mozilla.org/en-US/firefox/addon/stylrrr/
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:3.0) Goanna/20161214 PaleMoon/27.0.3

barbaz
Senior Member
Posts: 8837
Joined: Sat Aug 03, 2013 5:45 pm

Re: Stylish addon becoming trackingware

Post by barbaz » Fri Jan 06, 2017 5:02 pm

Thanks, I'll look into it :)
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3325
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Stylish addon becoming trackingware

Post by GµårÐïåñ » Sat Jan 07, 2017 12:30 am

Never used it much when it was legit and I doubt it will affect me now. I chose years ago to use GM or TM to achieve it on either Mozilla or Chromium/Safari/Opera rather than using their implementation. The biggest challenge was keeping the "framework" consistent so the behavior and function is the same on either platform - that was pretty much accomplished years ago.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

barbaz
Senior Member
Posts: 8837
Joined: Sat Aug 03, 2013 5:45 pm

Re: Stylish addon becoming trackingware

Post by barbaz » Sat Jan 07, 2017 2:04 am

yes_noscript wrote:It already exist a alternative:

StylRRR does not work with SeaMonkey, even after conversion. The error messages are too obscure to debug. :(

GµårÐïåñ wrote:Never used it much when it was legit and I doubt it will affect me now. I chose years ago to use GM or TM to achieve it on either Mozilla or Chromium/Safari/Opera rather than using their implementation. The biggest challenge was keeping the "framework" consistent so the behavior and function is the same on either platform - that was pretty much accomplished years ago.

How do you restyle the browser UI with this method?
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3325
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Stylish addon becoming trackingware

Post by GµårÐïåñ » Sat Jan 07, 2017 7:30 am

Create a stub extension, load your code into it (you'd have to look up internal names on their dev page) and that's it. Not easy by any means but you limit the number of vectors that expose your browser. Now, of course if you don't know what you are doing, you can make things worse by making a critical mistake that's worse but at least you have yourself to blame.

BTW, easiest way to get the most common interface items that you would need to mod, grab a well written, popular theme (preferably google made) and rip it open and most of what you need will be inside there.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

barbaz
Senior Member
Posts: 8837
Joined: Sat Aug 03, 2013 5:45 pm

Re: Stylish addon becoming trackingware

Post by barbaz » Sat Jan 07, 2017 6:56 pm

Thanks.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Stylish addon becoming trackingware

Post by Thrawn » Sun Jan 08, 2017 10:51 pm

Is it really urgent to drop this? Supposedly you can just switch the tracking off.

The author might just be selling out, but he also might legitimately think that the partnership he's signed up for is benign and worthwhile. Apparently it will mean more development resources, for example. If you don't trust him at all, that's OK, but I'd at least wait a bit and see what he does with it.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3325
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Stylish addon becoming trackingware

Post by GµårÐïåñ » Mon Jan 09, 2017 5:57 am

@thrawn +1
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

barbaz
Senior Member
Posts: 8837
Joined: Sat Aug 03, 2013 5:45 pm

Re: Stylish addon becoming trackingware

Post by barbaz » Mon Jan 09, 2017 7:23 am

I'm surprised you guys are taking that perspective here.


Thrawn wrote:Is it really urgent to drop this? Supposedly you can just switch the tracking off.

The same was said of Wips extensions.

Thrawn wrote:The author might just be selling out, but he also might legitimately think that the partnership he's signed up for is benign and worthwhile. [...] If you don't trust him at all, that's OK, but

... it doesn't matter how much I trust him.

Time and again, legitimate extensions have 'partnered' with online tracking companies. Every time, the tracking company adds their tracking code. And every time, one side or the other fails to provide adequate notice before *ever* tracking the user and so it comes to this - http://forums.mozillazine.org/viewtopic.php?f=48&t=2738555

See? The clock is ticking here, isn't it?
*Always* check the changelogs BEFORE updating that important software!
-

yes_noscript

Re: Stylish addon becoming trackingware

Post by yes_noscript » Mon Jan 09, 2017 9:36 am

Here also a comment from gorhill:
> As far as tracking is concerned, anonymous information like which styles get installed or which sites visited get collected.

Sounds like "tracking browsing history" in so much words. I installed Stylish (v 1.6.3) from the Chrome store to investigate. I did not install any user styles. I went to the front page of Hacker News, and the Network tab in the dev tools of Stylish showed a POST to "https ://api.userstyles.org/tic/stats" (I added a space in URL to prevent URL parsing). I randomly clicked on a link on the page and another POST was made to "api .userstyles.org". I manually entered the URL of the page here in a new tab and another POST was made to "api .userstyles.org".

I then looked at the data sent in the POST. It is a two-pass base64 encoded data, and the data sent is as follow:

vmt=1.6.3
lav=21
wv=1
gr=chrome
di=541
pxe=[a unique identifier reused for each page visited]
knl=https%3A%2F%2Fnews.ycombinator.com%2F
gp=http%3A%2F%2Fmattwarren.org%2F2016%2F12%2F12%2FResearch-papers-in-the-.NET-source%2F
ver=https%3A%2F%2Fnews.ycombinator.com%2F
st=1483716982098
ch=9

Notice the unique id (pxe) and the browsing data, i.e. the URLs navigated to (gp) and from (ver).

So yes, Stylish can now build a profile of your browsing history. The two-pass encoded base64 is something I have seen elsewhere in other such extensions with tracking ability, for example with Web of Trust and Popup Blocker. There is no other purpose than a silly attempt at obfuscating what it is doing. Any rationale to explain this attempt at obfuscation will be pure BS (there is no valid reason AT ALL to encode twice base64 -- so the only explanation left is "let's not make it *too* obvious what we are sending").

When I un-checked the option "Send anonymous data to Stylish developers for determining user counts", the extension ceased to send the browsing history.

It must be noted that the information sent is by no mean anonymous, because of the unique user id in each POSTed request, and on top of this by sending data to "api .userstyles.org" server, the server will be able to match your IP with the data sent (your browsing history). But regardless, even if using a VPN, the POSTed data still identify you through the unique id (very bad -- defeats the purpose of using a VPN as a mean to enhance anonymity).

The manifest shows that the extension contains hook for Google Analytics (this fulfills the "user counts" explanation). However I see a "object-src 'self'" content security policy, and I question this: this gives the extensions the ability to embed plugins in its own code[1], though through a quick glance I can't see any file as of now in the extension itself which could be loaded as a plugin.

> This information powers some of the extension's functionality such as the ability to reveal styles to users when they visit sites in the browser

So things to keep in mind if you are eager to believe the above explanation from Stylish representative:
- the attempt at obfuscation (no valid reasons whatsoever).
- the unique id "appUniqueId" (no valid reasons whatsoever).
- the full URL visited (could be just the hostname and only on 1st visit + possibly a user-initiated update manifest in case new user styles become available for a specific site already visited.)
- the full referrer URL (no valid reasons whatsoever).

All these are not necessary for the official stated goal -- and of course the worst is that the claim that the data is anonymous is false. If the will to not collect browsing history was really genuine, the extension would have been written in a very different way to accomplish the stated goal.

My advice is if you *really* need that extension, disable the option to send supposedly anonymous data -- so far, as of writing, it seems it does what it says. Unfortunately as is too often the case, the default is not pro-user i.e. not opt-in so a lot of people will end up having their browsing history collated (even if using a VPN).

***
[1] https://www.w3.org/TR/CSP2/#directive-object-src


http://www.ghacks.net/2017/01/04/major-stylish-add-on-changes-in-regards-to-privacy/#comment-4086083
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:3.0) Goanna/20161214 PaleMoon/27.0.3

User avatar
Giorgio Maone
Site Admin
Posts: 8654
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Stylish addon becoming trackingware

Post by Giorgio Maone » Mon Jan 09, 2017 11:27 am

I'd just like to add, if nobody else did it yet, that this isn't gonna fly on Firefox because of AMO's editorial process which prevents "surprises" like that from being pulled (except, of course, for individual editors' mistakes).
In facts, the Stylish version available on AMO is still 6 months old, and AFAIK the new nosy version has already been rejected for the reason above.
However, if you're still worried they could manage to slip through AMO's checks, just turn off automatic updates for Stylish in your addons manager.
In other words, just a Chrome problem for now ;)
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0

barbaz
Senior Member
Posts: 8837
Joined: Sat Aug 03, 2013 5:45 pm

Re: Stylish addon becoming trackingware

Post by barbaz » Mon Jan 09, 2017 4:30 pm

Giorgio Maone wrote:AFAIK the new nosy version has already been rejected for the reason above.

That is good news, thanks for sharing. 8-)

I already disable automatic updating of all add-ons, so I'll just be sure to do a diff of the code when/if the next update becomes available.
*Always* check the changelogs BEFORE updating that important software!
-

yes_noscript

Re: Stylish addon becoming trackingware

Post by yes_noscript » Mon Jan 09, 2017 8:55 pm

barbaz wrote:I already disable automatic updating of all add-ons, so I'll just be sure to do a diff of the code when/if the next update becomes available.

Just disable updates for stylish is enough ;)
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:3.0) Goanna/20161214 PaleMoon/27.0.3

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3325
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Stylish addon becoming trackingware

Post by GµårÐïåñ » Mon Jan 09, 2017 11:42 pm

@Giorgio reiterates my feeling about it. As long as you are proactive in your own security, you will be fine - or at least minimally compromised.

Going forward choices are: be more diligent. Isolate the good build from update. Fork it. Find an alternative. Build your own solution. I find myself running the full length of this for various software. Although I am currently 80% in the make your own solution area because each day more and more solutions becomes compromised, sell out, degrade their promise or simply just too bloated or deviated from original use.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Post Reply