Stylish addon becoming trackingware

[barbaz]

https://www.ghacks.net/2017/01/04/major-stylish-add-on-changes-in-regards-to-privacy/
https://www.bleepingcomputer.com/news/software/2-million-users-impacted-by-new-data-collection-policy-in-stylish-browser-add-on/

Yet another addon I'll have to fork

[yes_noscript]

No need for fork. It already exist a alternative: https://addons.mozilla.org/en-US/firefox/addon/stylrrr/

[barbaz]

Thanks, I'll look into it

[GµårÐïåñ]

Never used it much when it was legit and I doubt it will affect me now. I chose years ago to use GM or TM to achieve it on either Mozilla or Chromium/Safari/Opera rather than using their implementation. The biggest challenge was keeping the "framework" consistent so the behavior and function is the same on either platform - that was pretty much accomplished years ago.

[barbaz]

It already exist a alternative:

StylRRR does not work with SeaMonkey, even after conversion. The error messages are too obscure to debug.

Never used it much when it was legit and I doubt it will affect me now. I chose years ago to use GM or TM to achieve it on either Mozilla or Chromium/Safari/Opera rather than using their implementation. The biggest challenge was keeping the "framework" consistent so the behavior and function is the same on either platform - that was pretty much accomplished years ago.

How do you restyle the browser UI with this method?

[GµårÐïåñ]

Create a stub extension, load your code into it (you'd have to look up internal names on their dev page) and that's it. Not easy by any means but you limit the number of vectors that expose your browser. Now, of course if you don't know what you are doing, you can make things worse by making a critical mistake that's worse but at least you have yourself to blame.

BTW, easiest way to get the most common interface items that you would need to mod, grab a well written, popular theme (preferably google made) and rip it open and most of what you need will be inside there.

[barbaz]

Thanks.

[Thrawn]

Is it really urgent to drop this? Supposedly you can just switch the tracking off.

The author might just be selling out, but he also might legitimately think that the partnership he's signed up for is benign and worthwhile. Apparently it will mean more development resources, for example. If you don't trust him at all, that's OK, but I'd at least wait a bit and see what he does with it.

[GµårÐïåñ]

@thrawn +1

[barbaz]

I'm surprised you guys are taking that perspective here.

Is it really urgent to drop this? Supposedly you can just switch the tracking off.

The same was said of Wips extensions.

The author might just be selling out, but he also might legitimately think that the partnership he's signed up for is benign and worthwhile. [...] If you don't trust him at all, that's OK, but

... it doesn't matter how much I trust him.

Time and again, legitimate extensions have 'partnered' with online tracking companies. Every time, the tracking company adds their tracking code. And every time, one side or the other fails to provide adequate notice before *ever* tracking the user and so it comes to this - http://forums.mozillazine.org/viewtopic.php?f=48&t=2738555

See? The clock is ticking here, isn't it?

[yes_noscript]

Here also a comment from gorhill:

> As far as tracking is concerned, anonymous information like which styles get installed or which sites visited get collected.

Sounds like "tracking browsing history" in so much words. I installed Stylish (v 1.6.3) from the Chrome store to investigate. I did not install any user styles. I went to the front page of Hacker News, and the Network tab in the dev tools of Stylish showed a POST to "https ://api.userstyles.org/tic/stats" (I added a space in URL to prevent URL parsing). I randomly clicked on a link on the page and another POST was made to "api .userstyles.org". I manually entered the URL of the page here in a new tab and another POST was made to "api .userstyles.org".

I then looked at the data sent in the POST. It is a two-pass base64 encoded data, and the data sent is as follow:

vmt=1.6.3
lav=21
wv=1
gr=chrome
di=541
pxe=[a unique identifier reused for each page visited]
knl=https%3A%2F%2Fnews.ycombinator.com%2F
gp=http%3A%2F%2Fmattwarren.org%2F2016%2F12%2F12%2FResearch-papers-in-the-.NET-source%2F
ver=https%3A%2F%2Fnews.ycombinator.com%2F
st=1483716982098
ch=9

Notice the unique id (pxe) and the browsing data, i.e. the URLs navigated to (gp) and from (ver).

So yes, Stylish can now build a profile of your browsing history. The two-pass encoded base64 is something I have seen elsewhere in other such extensions with tracking ability, for example with Web of Trust and Popup Blocker. There is no other purpose than a silly attempt at obfuscating what it is doing. Any rationale to explain this attempt at obfuscation will be pure BS (there is no valid reason AT ALL to encode twice base64 -- so the only explanation left is "let's not make it *too* obvious what we are sending").

When I un-checked the option "Send anonymous data to Stylish developers for determining user counts", the extension ceased to send the browsing history.

It must be noted that the information sent is by no mean anonymous, because of the unique user id in each POSTed request, and on top of this by sending data to "api .userstyles.org" server, the server will be able to match your IP with the data sent (your browsing history). But regardless, even if using a VPN, the POSTed data still identify you through the unique id (very bad -- defeats the purpose of using a VPN as a mean to enhance anonymity).

The manifest shows that the extension contains hook for Google Analytics (this fulfills the "user counts" explanation). However I see a "object-src 'self'" content security policy, and I question this: this gives the extensions the ability to embed plugins in its own code[1], though through a quick glance I can't see any file as of now in the extension itself which could be loaded as a plugin.

> This information powers some of the extension's functionality such as the ability to reveal styles to users when they visit sites in the browser

So things to keep in mind if you are eager to believe the above explanation from Stylish representative:
- the attempt at obfuscation (no valid reasons whatsoever).
- the unique id "appUniqueId" (no valid reasons whatsoever).
- the full URL visited (could be just the hostname and only on 1st visit + possibly a user-initiated update manifest in case new user styles become available for a specific site already visited.)
- the full referrer URL (no valid reasons whatsoever).

All these are not necessary for the official stated goal -- and of course the worst is that the claim that the data is anonymous is false. If the will to not collect browsing history was really genuine, the extension would have been written in a very different way to accomplish the stated goal.

My advice is if you *really* need that extension, disable the option to send supposedly anonymous data -- so far, as of writing, it seems it does what it says. Unfortunately as is too often the case, the default is not pro-user i.e. not opt-in so a lot of people will end up having their browsing history collated (even if using a VPN).

***
[1] https://www.w3.org/TR/CSP2/#directive-object-src

http://www.ghacks.net/2017/01/04/major-stylish-add-on-changes-in-regards-to-privacy/#comment-4086083

[Giorgio Maone]

I'd just like to add, if nobody else did it yet, that this isn't gonna fly on Firefox because of AMO's editorial process which prevents "surprises" like that from being pulled (except, of course, for individual editors' mistakes).
In facts, the Stylish version available on AMO is still 6 months old, and AFAIK the new nosy version has already been rejected for the reason above.
However, if you're still worried they could manage to slip through AMO's checks, just turn off automatic updates for Stylish in your addons manager.
In other words, just a Chrome problem for now

[barbaz]

AFAIK the new nosy version has already been rejected for the reason above.

That is good news, thanks for sharing.

I already disable automatic updating of all add-ons, so I'll just be sure to do a diff of the code when/if the next update becomes available.

[yes_noscript]

I already disable automatic updating of all add-ons, so I'll just be sure to do a diff of the code when/if the next update becomes available.

Just disable updates for stylish is enough

[GµårÐïåñ]

@Giorgio reiterates my feeling about it. As long as you are proactive in your own security, you will be fine - or at least minimally compromised.

Going forward choices are: be more diligent. Isolate the good build from update. Fork it. Find an alternative. Build your own solution. I find myself running the full length of this for various software. Although I am currently 80% in the make your own solution area because each day more and more solutions becomes compromised, sell out, degrade their promise or simply just too bloated or deviated from original use.