Stylish addon becoming trackingware
Stylish addon becoming trackingware
https://www.ghacks.net/2017/01/04/major ... o-privacy/
https://www.bleepingcomputer.com/news/s ... er-add-on/
Yet another addon I'll have to fork
https://www.bleepingcomputer.com/news/s ... er-add-on/
Yet another addon I'll have to fork
*Always* check the changelogs BEFORE updating that important software!
-
Re: Stylish addon becoming trackingware
No need for fork. It already exist a alternative: https://addons.mozilla.org/en-US/firefox/addon/stylrrr/
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:3.0) Goanna/20161214 PaleMoon/27.0.3
Re: Stylish addon becoming trackingware
Thanks, I'll look into it
*Always* check the changelogs BEFORE updating that important software!
-
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Stylish addon becoming trackingware
Never used it much when it was legit and I doubt it will affect me now. I chose years ago to use GM or TM to achieve it on either Mozilla or Chromium/Safari/Opera rather than using their implementation. The biggest challenge was keeping the "framework" consistent so the behavior and function is the same on either platform - that was pretty much accomplished years ago.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Re: Stylish addon becoming trackingware
StylRRR does not work with SeaMonkey, even after conversion. The error messages are too obscure to debug.yes_noscript wrote:It already exist a alternative:
How do you restyle the browser UI with this method?GµårÐïåñ wrote:Never used it much when it was legit and I doubt it will affect me now. I chose years ago to use GM or TM to achieve it on either Mozilla or Chromium/Safari/Opera rather than using their implementation. The biggest challenge was keeping the "framework" consistent so the behavior and function is the same on either platform - that was pretty much accomplished years ago.
*Always* check the changelogs BEFORE updating that important software!
-
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Stylish addon becoming trackingware
Create a stub extension, load your code into it (you'd have to look up internal names on their dev page) and that's it. Not easy by any means but you limit the number of vectors that expose your browser. Now, of course if you don't know what you are doing, you can make things worse by making a critical mistake that's worse but at least you have yourself to blame.
BTW, easiest way to get the most common interface items that you would need to mod, grab a well written, popular theme (preferably google made) and rip it open and most of what you need will be inside there.
BTW, easiest way to get the most common interface items that you would need to mod, grab a well written, popular theme (preferably google made) and rip it open and most of what you need will be inside there.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Re: Stylish addon becoming trackingware
Thanks.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Stylish addon becoming trackingware
Is it really urgent to drop this? Supposedly you can just switch the tracking off.
The author might just be selling out, but he also might legitimately think that the partnership he's signed up for is benign and worthwhile. Apparently it will mean more development resources, for example. If you don't trust him at all, that's OK, but I'd at least wait a bit and see what he does with it.
The author might just be selling out, but he also might legitimately think that the partnership he's signed up for is benign and worthwhile. Apparently it will mean more development resources, for example. If you don't trust him at all, that's OK, but I'd at least wait a bit and see what he does with it.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Stylish addon becoming trackingware
@thrawn +1
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Re: Stylish addon becoming trackingware
I'm surprised you guys are taking that perspective here.
Time and again, legitimate extensions have 'partnered' with online tracking companies. Every time, the tracking company adds their tracking code. And every time, one side or the other fails to provide adequate notice before *ever* tracking the user and so it comes to this - http://forums.mozillazine.org/viewtopic ... &t=2738555
See? The clock is ticking here, isn't it?
The same was said of Wips extensions.Thrawn wrote:Is it really urgent to drop this? Supposedly you can just switch the tracking off.
... it doesn't matter how much I trust him.Thrawn wrote:The author might just be selling out, but he also might legitimately think that the partnership he's signed up for is benign and worthwhile. [...] If you don't trust him at all, that's OK, but
Time and again, legitimate extensions have 'partnered' with online tracking companies. Every time, the tracking company adds their tracking code. And every time, one side or the other fails to provide adequate notice before *ever* tracking the user and so it comes to this - http://forums.mozillazine.org/viewtopic ... &t=2738555
See? The clock is ticking here, isn't it?
*Always* check the changelogs BEFORE updating that important software!
-
Re: Stylish addon becoming trackingware
Here also a comment from gorhill:
http://www.ghacks.net/2017/01/04/major- ... nt-4086083> As far as tracking is concerned, anonymous information like which styles get installed or which sites visited get collected.
Sounds like "tracking browsing history" in so much words. I installed Stylish (v 1.6.3) from the Chrome store to investigate. I did not install any user styles. I went to the front page of Hacker News, and the Network tab in the dev tools of Stylish showed a POST to "https ://api.userstyles.org/tic/stats" (I added a space in URL to prevent URL parsing). I randomly clicked on a link on the page and another POST was made to "api .userstyles.org". I manually entered the URL of the page here in a new tab and another POST was made to "api .userstyles.org".
I then looked at the data sent in the POST. It is a two-pass base64 encoded data, and the data sent is as follow:
vmt=1.6.3
lav=21
wv=1
gr=chrome
di=541
pxe=[a unique identifier reused for each page visited]
knl=https%3A%2F%2Fnews.ycombinator.com%2F
gp=http%3A%2F%2Fmattwarren.org%2F2016%2F12%2F12%2FResearch-papers-in-the-.NET-source%2F
ver=https%3A%2F%2Fnews.ycombinator.com%2F
st=1483716982098
ch=9
Notice the unique id (pxe) and the browsing data, i.e. the URLs navigated to (gp) and from (ver).
So yes, Stylish can now build a profile of your browsing history. The two-pass encoded base64 is something I have seen elsewhere in other such extensions with tracking ability, for example with Web of Trust and Popup Blocker. There is no other purpose than a silly attempt at obfuscating what it is doing. Any rationale to explain this attempt at obfuscation will be pure BS (there is no valid reason AT ALL to encode twice base64 -- so the only explanation left is "let's not make it *too* obvious what we are sending").
When I un-checked the option "Send anonymous data to Stylish developers for determining user counts", the extension ceased to send the browsing history.
It must be noted that the information sent is by no mean anonymous, because of the unique user id in each POSTed request, and on top of this by sending data to "api .userstyles.org" server, the server will be able to match your IP with the data sent (your browsing history). But regardless, even if using a VPN, the POSTed data still identify you through the unique id (very bad -- defeats the purpose of using a VPN as a mean to enhance anonymity).
The manifest shows that the extension contains hook for Google Analytics (this fulfills the "user counts" explanation). However I see a "object-src 'self'" content security policy, and I question this: this gives the extensions the ability to embed plugins in its own code[1], though through a quick glance I can't see any file as of now in the extension itself which could be loaded as a plugin.
> This information powers some of the extension's functionality such as the ability to reveal styles to users when they visit sites in the browser
So things to keep in mind if you are eager to believe the above explanation from Stylish representative:
- the attempt at obfuscation (no valid reasons whatsoever).
- the unique id "appUniqueId" (no valid reasons whatsoever).
- the full URL visited (could be just the hostname and only on 1st visit + possibly a user-initiated update manifest in case new user styles become available for a specific site already visited.)
- the full referrer URL (no valid reasons whatsoever).
All these are not necessary for the official stated goal -- and of course the worst is that the claim that the data is anonymous is false. If the will to not collect browsing history was really genuine, the extension would have been written in a very different way to accomplish the stated goal.
My advice is if you *really* need that extension, disable the option to send supposedly anonymous data -- so far, as of writing, it seems it does what it says. Unfortunately as is too often the case, the default is not pro-user i.e. not opt-in so a lot of people will end up having their browsing history collated (even if using a VPN).
***
[1] https://www.w3.org/TR/CSP2/#directive-object-src
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:3.0) Goanna/20161214 PaleMoon/27.0.3
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Stylish addon becoming trackingware
I'd just like to add, if nobody else did it yet, that this isn't gonna fly on Firefox because of AMO's editorial process which prevents "surprises" like that from being pulled (except, of course, for individual editors' mistakes).
In facts, the Stylish version available on AMO is still 6 months old, and AFAIK the new nosy version has already been rejected for the reason above.
However, if you're still worried they could manage to slip through AMO's checks, just turn off automatic updates for Stylish in your addons manager.
In other words, just a Chrome problem for now
In facts, the Stylish version available on AMO is still 6 months old, and AFAIK the new nosy version has already been rejected for the reason above.
However, if you're still worried they could manage to slip through AMO's checks, just turn off automatic updates for Stylish in your addons manager.
In other words, just a Chrome problem for now
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0
Re: Stylish addon becoming trackingware
That is good news, thanks for sharing.Giorgio Maone wrote:AFAIK the new nosy version has already been rejected for the reason above.
I already disable automatic updating of all add-ons, so I'll just be sure to do a diff of the code when/if the next update becomes available.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Stylish addon becoming trackingware
Just disable updates for stylish is enoughbarbaz wrote:I already disable automatic updating of all add-ons, so I'll just be sure to do a diff of the code when/if the next update becomes available.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:3.0) Goanna/20161214 PaleMoon/27.0.3
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Stylish addon becoming trackingware
@Giorgio reiterates my feeling about it. As long as you are proactive in your own security, you will be fine - or at least minimally compromised.
Going forward choices are: be more diligent. Isolate the good build from update. Fork it. Find an alternative. Build your own solution. I find myself running the full length of this for various software. Although I am currently 80% in the make your own solution area because each day more and more solutions becomes compromised, sell out, degrade their promise or simply just too bloated or deviated from original use.
Going forward choices are: be more diligent. Isolate the good build from update. Fork it. Find an alternative. Build your own solution. I find myself running the full length of this for various software. Although I am currently 80% in the make your own solution area because each day more and more solutions becomes compromised, sell out, degrade their promise or simply just too bloated or deviated from original use.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36