Google, Mozilla, and Opera have pulled a browser extension with more than two million downloads after it was caught tracking every website its users visited—and sending the data to a remote server.
The Stylish extension allowed users to customize the look and feel of websites in a variety of ways. Among other things, it could remove clutter such as Facebook or Twitter news feeds, change normal pictures to black-and-white manga images, and change black-on-white site themes to white-on-black themes.
Heaton used a security-testing tool called Burp Suite to analyze precisely what Stylish was doing. He found that it sent a large amount of obfuscated data to userstyles.org, a website under the control of the new Stylish owner. Heaton quickly figured out how to decode the data and discovered it contained an alarming amount detail, including every URL he visited, the actual Google search results from his browser window, and by default a unique identifier (although that can be removed by changing a setting).
Heaton said Stylish has been collecting the browser histories from Chrome users since January, 2017, and from Firefox users since March. Even though the collection was disclosed, it largely escaped the notice of Google, Mozilla, and Opera—not to mention more than two million end users—until Heaton documented it. Officials with Stylish didn’t immediately respond to a request to comment for this post.
The episode is the latest reminder that browser extensions come at a cost, both in terms of the data they may collect and the increased attack surface they may provide for hackers. The event makes clear that browser makers apply minimal scrutiny to the extensions they host. Security-conscious users should use extensions sparingly, especially for those that offer minimal benefit. For those users who want to disregard this advice and use an extension that offers the same features as Stylish, Heaton recommends Stylus.