
“Stylish” browser extension steals all your internet history - mbaye
https://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/
======
mcjiggerlog
This is a huge problem for the extension ecosystem in general. Who originally
publishes an extension may not be the same entity that is pushing you updates
in two years time, and there's no way as a user to know this.

I publish a few extensions [1] [2] [3] and have been contacted multiple times
by companies asking to buy them for several thousand dollars. They told me the
going rate was 0.20 USD per user. You can imagine what kind of deals are being
made when the extension has a million plus users.

When pushed for exactly why they wanted to buy the extensions, which are in no
way monetizable, they gave vague answers about "user insights". I can
guarantee there will be many other major extensions that have sold out their
users.

[1] [https://chrome.google.com/webstore/detail/old-reddit-
redirec...](https://chrome.google.com/webstore/detail/old-reddit-
redirect/dneaehbmnbhcippjikoajpoabadpodje)

[2] [https://chrome.google.com/webstore/detail/break-
timer/hklkdb...](https://chrome.google.com/webstore/detail/break-
timer/hklkdbpicdmlpoiellngedpejjkmapei/reviews)

[3] [https://chrome.google.com/webstore/detail/reddit-comment-
col...](https://chrome.google.com/webstore/detail/reddit-comment-
collapser/njmimaecgocggclbecipdimilidimlpl)

~~~
bovine3dom
On the other side of the coin, Firefox makes it quite hard to push updates to
users that require more permissions, requiring manual intervention to update.
It signifies this with a small muted yellow exclamation mark on the hamburger
menu, which is really hard to see.

I've not received my own updates for weeks a few times because I haven't
noticed the warning, and about a third of our users are on ancient versions
presumably because of it [1].

I think the real solution to this problem is GDPR: massive fines if you abuse
your users' trust (and get caught).

I'm not keen on the literal dark pattern that Firefox uses to dissuade
developers from requiring new permissions.

[1] [https://addons.mozilla.org/en-US/firefox/addon/tridactyl-
vim...](https://addons.mozilla.org/en-US/firefox/addon/tridactyl-
vim/statistics/usage/versions/?last=365#)

~~~
inetknght
Firefox is in the right here. I absolutely do not ever want extensions to
automatically get new permissions automatically just because I accepted an old
version's lesser permissions.

If you want more permissions, then _ask_ for more permissions.

And don't be surprised when people say NO.

Not everyone wants to grant the permissions to your update even if the update
fixes bugs in older versions. Not everyone will want your new feature in the
first place. Denying permissions is an easy way to eliminate the risk of
having to go through and figure out whether or not the new feature is
trustworthy.

And if you're not adding a new feature, then why do you need more permissions?

~~~
bovine3dom
> then ask for more permissions.

I agree with you. As another reply to you states, however, Firefox doesn't
currently let me ask. You have to kind of go hunting for it.

> And if you're not adding a new feature, then why do you need more
> permissions?

Firefox does not let me explain why the permissions are needed. It would be
nice if we could have a little blurb where we can state our case next to each
permission.

Our current approach is to explain likely upcoming permissions requests in
advance and ask our users to stay vigilant for the appearance of the tiny
yellow exclamation mark, but that's not very helpful to the third of users
stuck on old verions before we learnt that trick.

> And don't be surprised when people say NO.

I think very few of these users have said no on purpose. We ask for (and use)
almost everything [1], so any marginal new permissions are unlikely to give us
much more power. The current permission model actually makes it tempting to
just literally ask for everything because we might want it for a new feature
in the future.

The optional permissions are not fine-grained enough to be useful (you can
accept all optional permissions, or none) and not available for enough
permissions, otherwise we would use them.

Also, the first versions of our software were really slow and bad. I really
doubt many people are staying there on purpose. (If there are any Tridactyl
users in this thread using an old version on purpose, I'd like to hear from
you :) ).

[1]
[https://github.com/cmcaine/tridactyl/blob/e20a224fb8d8bbb2b7...](https://github.com/cmcaine/tridactyl/blob/e20a224fb8d8bbb2b742599cc69672d7c9fe0c42/src/manifest.json#L41)

~~~
inetknght
Firefox and Chromium are both open source. If you don't like the way it works,
then work with the teams to build a better experience.

~~~
bovine3dom
I can kind of understand that charge when it is levelled about people
complaining about Quantum and doing nothing about it, but I already spend
countless hours a week working on a replacement for an extension that died
because of Quantum.

How much more time can I reasonably be expected to donate? Just trying to find
duplicates on the BMO could take ages.

Complaining into the void on the internet takes much less time and makes me
feel better :)

~~~
inetknght
Maybe start pointing out how things are far too complex and work to reduce
complexity instead?

------
Zren
I've gotten annoyed enough to just copy the source from most of my extensions
(located at `~/.config/google-chrome/Default/Extensions/`), remove the update
stuff from the `metadata.json` and load them as developer extensions so they
never update.

It's easy enough to update them + audit the code when something breaks. The
hardest part is downloading the new code (.crx) without installing it, I had
to write javascript I paste into the console. StackOverflow can unzip a crx by
striping the first 306 bytes.

I forked Stylish v1.5.2 a year ago before I heared of Stylus, but I've no need
to to switch since the original extension was pretty good.
[https://github.com/Zren/chrome-extension-
stylish#fork](https://github.com/Zren/chrome-extension-stylish#fork)

~~~
HelenePhisher
You can extract the .crx without Javascript using this webservice:
[http://crxextractor.com/](http://crxextractor.com/)

Used it a couple of times in the past, it is a good one.

~~~
Zren
All you need to do is remove the first 306 bytes to turn it into a normal zip
file.

    
    
        tail -c +307 in.crx > out.zip
    

Credit to this guy in the comments.
[https://superuser.com/questions/139190/how-to-unpack-a-
chrom...](https://superuser.com/questions/139190/how-to-unpack-a-chrome-
theme#comment624001_139198)

------
psergeant
Offices in the UK. I would encourage anyone in the EU who used this to file a
GDPR complaint.

~~~
spyder
From their Privacy Policy:

 _" Where provided under applicable law (such as within the European Union),
you may have the right to ask us to delete Personal Information which you have
provided to us [... ] contact our Data Protection Officer at:
dpo@userstyles.org."_

[https://addons.mozilla.org/en-
US/firefox/addon/stylish/priva...](https://addons.mozilla.org/en-
US/firefox/addon/stylish/privacy/)

~~~
peteretep
That's nice for them. I also have the right to refer them to my local data
commissioner though, about the absolutely lack of meaningful consent they
gathered from me here. I hope their investors get taken to the cleaners by the
resulting fines.

------
TheCapeGreek
As others have said, immediately switch to Stylus. While we're at it stop
using Ghostery as well since they were bought by an ad company. Use Privacy
Badger or a decent alternative (noscript + heavy/custom uBlock lists should
work just fine)

~~~
Chilinot
If you dont want the heavy handed solution that NoScript provides, i would
suggest "uBlock Matrix".

~~~
dredmorbius
There are two, similar, though different, extensions.

uBlock _origin_ is a dedicated, quite-good, low-fuss, ad blocker.

uMatrix is a much more general, very powerful, though somewhat fussy, general
Web capabilities manager. If you don't mind fiddling with sites periodically,
it's _very_ strongly recommended, but for user populations who don't do this
or grasp technology poorly, it will require some fairly close managing,
_especially_ if the user base doesn't report problems and just accepts "the
site is broken".

I'd highlighted my preset recommended set of browser extensions for 2018 a
couple of weeks back. The hero image is uMatrix's control interface.

[https://plus.google.com/104092656004159577193/posts/WVEM83FY...](https://plus.google.com/104092656004159577193/posts/WVEM83FY169)

~~~
inetknght
If the site loads tons of crapware then the site is broken regardless of
whether or not uMatrix blocked things.

~~~
dredmorbius
If you've not been paying attention or specifically trying to counter that
trend, you'd be amazed at how complex a typical site is. Even those which
otherwise appear clean.

~~~
inetknght
I appreciate the sentiment but indeed I know very well how complex a typical
site is. Unfortunately I think a very large portion of most websites are far
too complex for what they provide.

~~~
dredmorbius
Agreed on that last.

------
mappu
I discussed this problem (in a bit inflammatory way) last month:
[https://news.ycombinator.com/item?id=17242003](https://news.ycombinator.com/item?id=17242003)

It's particularly annoying, because I do have this Stylish extension installed
(using css ::after rules to tag HN users)

EDIT: You can submit an abuse report when uninstalling a Chrome extension.

~~~
yborg
Sort of ironic sending an abuse notification to a company that does precisely
the same thing on a much vaster scale. And I would assume that the T&C for the
new and improved Stylish that you accept when you install it informs you that
you are giving them permission to do this, so there isn't even any abuse to
complain about here.

~~~
mappu
I had this extension installed for years, from back when it was "still good".
I don't recall ever seeing a T&C prompt, and in the last 3-4 years I've become
quite vigilant about always reading full T&C texts (much to the amusement of
others).

I was put in this tracking program without my consent.

------
eastendguy
This reminds of the "WOT, Web of Trust" (haha) privacy issue in 2016:
Reporters (disguising as business men) were offered data that includes the
surfing habits of three million German citizens. This data was, at least
partly, collected by the “Web of trust” (WOT) browser extensions. The
reporters were able to use this data to identify the browsing habits of
individual persons – including high-ranking German and EU politicians.

English: [https://ocr.space/blog/2016/11/wot-browser-extension-
collect...](https://ocr.space/blog/2016/11/wot-browser-extension-collects-
habits.html)

~~~
mirimir
Indeed. I never trusted it. I never trust _any_ feature or add-on that uploads
anything. That includes malicious site detectors. I only use stuff that relies
on local databases.

~~~
dredmorbius
Any recommendations on malicious site alternatives?

I'm still looking to update my router (Turris Omnia) to use DNSMasq rather
than Knot Resolver, which may offer an edge on DNSSec capabilities (though I
believe this has lapsed), but is far _less_ capable of being locally
customised along the lines of DNSMasq.

[https://www.knot-resolver.cz/](https://www.knot-resolver.cz/)

[http://www.thekelleys.org.uk/dnsmasq/doc.html](http://www.thekelleys.org.uk/dnsmasq/doc.html)

------
dannyw
Google needs to take action here. From requiring re-confirming permissions
every time a significant privacy policy change is made, or just by nuking
SimilarWeb altogether from the web App Store.

~~~
izacus
I can already see the followup HN news: "Google attacking developers on Chrome
Web Store and breaking free web!"

~~~
nailer
Yeah one thing Google doesn't do is collect info about what you do on the
internet and sell it to other people.

[https://myactivity.google.com/myactivity](https://myactivity.google.com/myactivity)

More seriously: if Stylish concerns you, Chrome should too.

~~~
izacus
Google indeed doesn't sell info to other people. (It does collect it though.)

~~~
Silhouette
Is there a _definitive_ list anywhere of what Chrome collects and where it
goes?

There have been rumours forever, but I'm interested in verifiable facts.

~~~
nailer
If you're logged in, which Chrome strongly encourages, it's your entire
browsing history. See the URL above.

~~~
Silhouette
Thanks, but what I'm really trying to ask here is what a vanilla Chrome
installation does. If someone just installs Chrome, leaves all settings as
defaults, and doesn't opt in to anything, what data is being sent back to the
mothership? I've never managed to find a convincing answer to that question.

------
Phait
It took me less than a minute to install Stylus and import all my userstyles
from Stylish.

~~~
dredmorbius
The headache for me was that the _stylesheets_ are transferred, but the
_applied domains_ are not.

I've got a system where I use a set of standard styles applied broadly against
many sites.

E.g.,

Annoyances -- applied globally to all websites by default:
[https://pastebin.com/raw/GrE9KX6D](https://pastebin.com/raw/GrE9KX6D)

Local Gifs:
[https://pastebin.com/raw/tn7cqGtJ](https://pastebin.com/raw/tn7cqGtJ)
(Exceptions to global gif filtering)

The following break on many sites too much to be applied as default, but can
be used fairly generally to selected sites as needed.

Animations blocking:
[https://pastebin.com/raw/7Gjxj6AT](https://pastebin.com/raw/7Gjxj6AT)

Headers / Footers:
[https://pastebin.com/raw/PsXWhUGf](https://pastebin.com/raw/PsXWhUGf)

Popups / Overlays blocker:
[https://pastebin.com/raw/VcgNNwDp](https://pastebin.com/raw/VcgNNwDp)

"Unstyled" CSS: what I apply to unstyled / minimally styled pages:
[https://pastebin.com/raw/rtfev3vj](https://pastebin.com/raw/rtfev3vj)

For development / testing / debug:

Debug CSS:
[https://pastebin.com/raw/Z3kFrRQy](https://pastebin.com/raw/Z3kFrRQy)

(Highlights class/id and entities in page.)

~~~
psychometry
One of those (either annoyances, headers, or popups) broke a fork of Stylish.
I'd click on the icon in the toolbar and the drop-down wouldn't appear. I
noticed the user style also broke AWS navigation.

~~~
dredmorbius
None of those sheets _except for Annoyances_ should be applied globally.

I don't guarantee Annoyances _won 't_ break other things, but I _do_ guarantee
that the others will.

Assign the to a nonexistent URL or domain initially, or disable them.

If you've got specific bugs with the Annoyances sheet ... I may be able to
address them.

My usual first-stop debugging tools are adding either an outline or background
colour to an element:

    
    
        outline: solid 2px red;
        background: #faa;
    

... which tends to show what rule(s) are being triggered. If something breaks,
add those rules, and disable the "display: none;" one.

I'm also finding that the shift to "display: flex;" styles is breaking some of
my assumptions. It's no longer safe to presume that everything is displayed as
one of block, inline-block, or inline.

Position directives are also problematic: initial, static, relative, absolute.

That said: I've evolved those styles over a few years, and they tend to work
reasonably well. Some nursemaiding required.

------
trio333
Always the same cycle.

1/ New great product is built. People love it.

2/ Once enough people use it, start monetizing in shady ways, annoying users
just not too much or they leave.

3/ Very annoyed users switch to another product back to 1/

~~~
oblio
Small correction:

1/ New great _free_ product is built. People love it.

Image and file hosting services and messengers are the best examples.

I swear it's because the well has been poisoned and it's just impossible to
monetize these services in a moral way.

~~~
owlmirror
This is absolutely not confined to free products. I did security audits for
companies and part of that job was giving a go ahead before we allowed people
to install software on their devices. Free software behaved much better than
paid software by a wide margin.

------
ssivark
Most browser extensions seem to require access to one's browsing history and
keystrokes, even for legitimate functioning. Is there any way to ensure that
they do only what they claim to do, and don't abuse the permissions? (Apart
from verifying the source code, because clearly, lines of junk code >>
interested eyeballs).

For example, would it be reasonable to enforce that an extension only acts
locally, and cannot communicate with any external server? (I guess allowing
arbitrary local modifications essentially allows the extension to execute
arbitrary javascript code, including communicating with arbitrary remote
entities?)

~~~
icebraining
Yes, it's very hard to block that, since even if you block XHR from their
JavaScript code, by changing the page DOM they can inject elements that
communicate with a server.

------
mjgoeke
For those actively using Stylish and needing to switch:

'"Stylus" is a fork of the popular Stylish extension which can be used to
restyle the web. Not "ish", but "us", as in "us" the actual users. Stylus is a
fork of Stylish that is based on the source code of version 1.5.2, which was
the most up-to-date version before the original developer stopped working on
the project. The objective in creating Stylus was to remove any and all
analytics, and return to a more user-friendly UI. We recognize that the
ability to transfer your database from Stylish is important, so this is the
one and only feature we've implemented from the new version.' [1]

[1] [https://add0n.com/stylus.html](https://add0n.com/stylus.html) and
[https://github.com/openstyles/stylus](https://github.com/openstyles/stylus)

------
HelenePhisher
Tampermonkey seems to be a good alternative as well and is available for all
major browsers.

Does anyone have information on if the Safari Stylish Addon does the same
shady things? It's available in the official App Store and was approved by
Apple it seems.

~~~
Volt
I was curious about this too. The source is on GitHub
([https://github.com/350d/stylish](https://github.com/350d/stylish)), but who
knows if Apple checks that they're the same when they're approving it.

Edit: I should note that it collects analytics, but it can be turned off in
the preferences. I don't remember if it's on by default, but I suspect it is.

~~~
HelenePhisher
Yes, the option is called "Collect anonymous usage statistics" and is turned
on by default. But I don't trust it anymore.

Tampermonkey is here BTW:
[https://tampermonkey.net/?browser=safari](https://tampermonkey.net/?browser=safari)

I really love that one, it does a great job in Safari. Unfortunately, there is
no Safari App Extension yet. Since I'm running Safari Preview and Safari 12
does not accept extensions from unknown sources anymore I'm out for now.

------
nailer
Just filed this Firefox bug:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1472948](https://bugzilla.mozilla.org/show_bug.cgi?id=1472948)

~~~
beart
Looks like the extension has already been removed from the store.

------
roadbeats
Meanwhile a simple and open source bookmarking extension was taken down with
no notice, no information
([https://news.ycombinator.com/item?id=17440358](https://news.ycombinator.com/item?id=17440358)).

------
tripzilch
Well, shit. I installed this extension a few months ago, because _multiple_
people HN recommended it.

Tried it out, but found a different way to restyle and adjust sites to my
tastes (uBlock and custom Greasemonkey) that I found easier. Then forgot about
it.

And now it turns out this thing has been slurping my Internet history for
months.

No downvotes, nobody calling them on it, just happy oblivious HN users that
carelessly install random browser extensions and then recommend them to other
people. Urgh.

------
_bxg1
This has been going on for _years_ and Google has done nothing about it. These
days I don't use any extensions where a major organization's reputation
doesn't depend on them not becoming spyware. Truly a shame; I used to get a
lot of benefit out of extensions, including a similar one named Stylebot, but
now I don't trust anything other than Adblock Plus and the React Developer
Tools to not covertly become malicious.

~~~
SippinLean
You probably shouldn't trust AB+ either (but switch to uBlock instead)

[https://en.wikipedia.org/wiki/Adblock_Plus#Controversy_over_...](https://en.wikipedia.org/wiki/Adblock_Plus#Controversy_over_ad_filtering_and_ad_whitelisting)

~~~
zulln
For reasons I do not recall now, you should use uBlock Origin instead of
uBlock as well. The former is often what people are referring to anyway, but
worth mentioning.

------
therealmarv
report stylish to Google
[https://chrome.google.com/webstore/report/fjnbnpbmkenffdnngj...](https://chrome.google.com/webstore/report/fjnbnpbmkenffdnngjfgmeleoegfcffe)

------
alexanderby
Dark Reader (which generates dark themes dynamically) added support for static
CSS so that style sheets could be migrated
[http://darkreader.org/blog/stylish/](http://darkreader.org/blog/stylish/)

------
mholt
Dangit - I just installed it yesterday to block Twitter's annoying timeline
additions ("So-and-so liked such-and-such") which don't honor the account's
word filter/blacklist. Any alternatives out there that are better?

~~~
KwanEsq
Stylus, as mentioned in the article:

[https://addons.mozilla.org/firefox/addon/styl-
us/](https://addons.mozilla.org/firefox/addon/styl-us/)

------
O1111OOO
10 months ago, I discovered and recommended _stylish_ on a post titled: "Show
HN: Make Medium Readable Again"[0]. I have only ever used it for a single
site: medium.

It's times like these I wish I could go back and edit/update an old post with
new info. I feel like I got stabbed in the back... which happens way too often
in tech these days no matter how careful you are.

[0]
[https://news.ycombinator.com/item?id=15123638](https://news.ycombinator.com/item?id=15123638)

------
fishtopher
In what is certainly a complete coincidence, the Stylish Firefox extension
threw up an "agree to our new TOS 'effective May 22, 2018.'" modal for me
today..

------
aplc0r
It appears Firefox has already moved on this. Came home today and was warned
that Stylish was an unsafe extension, and I can no longer find it listed as an
available add-on.

------
SSchick
I actually ran into this issue previously when for some reason I got a request
on a `hidden` (very cryptic URL listed nowhere) diagnostic endpoint on one of
our APIs. I ended up identifying stylish as the culprit, at first I disabled
the tracking option (which is opt out and probably violates GDPR), a few weeks
later I installed stylus.

I also reported it around the same time and gave it a 1/5 star rating but
google had no interest in the report it seems.

------
franga2000
I've been lucky enough to have never had an extension installed when it was
sold, so I don't know that this isn't already the case, but if it isn't, I
believe it should be: Whenever an extension changes hands (is transfered to
another account), the user should be notified in the same way they would be if
it requested new permissions. Along with a rule that accounts are non-
transferable, of course.

------
lifthrasiir
tl;dr: Use Stylus [1]. Use Stylus. Use Stylus.

I guess there should be an addon that notifies users for any ownership changes
to browser addons they use. Or is there?

[1]
[https://github.com/openstyles/stylus](https://github.com/openstyles/stylus)

~~~
kawera
This extension disables any updated extension that requires new permissions,
among other niceties: [https://chrome.google.com/webstore/detail/extensions-
update-...](https://chrome.google.com/webstore/detail/extensions-update-
notifie/nlldbplhbaopldicmcoogopmkonpebjm)

(I'm only a user)

~~~
spookyuser
I thought chrome did this automatically now.

------
captn3m0
Found same issue with Pricee the other day, not sure how to report:
[https://addons.mozilla.org/en-US/firefox/addon/pricee-
search...](https://addons.mozilla.org/en-US/firefox/addon/pricee-search-
engine/)

------
Sephr
The culprit in question tried to do the same thing to a Voice Search Chrome
extension in the past[1].

[1]
[https://twitter.com/sephr/status/1014240895095300096](https://twitter.com/sephr/status/1014240895095300096)

------
stratigos
Ugh! After so many years, I now have to view a white-themed internet again. I
forgot how painful and blindy websites are!

Pls redesign the whole internet to be dark themed, so we dont need add ons
like this to fix the world. Thanks!

------
garganzol
So it boils down to trust anyway. No way a code signing certificate can impose
that trust. At the end of the day, it all goes back to human stance towards
other beings in this world and own dignity.

------
Bromskloss
Since "youtube-dl does not include support for services that specialize in
infringing copyright", is there a fork, or addition, without this restriction?

------
kup0
Is there an alternative to userstyles.org for hosting styles? That site is run
by the Stylish folks, and I have removed my account and styles from it.

~~~
stonecrusher
Not really. Though, [https://openusercss.org/](https://openusercss.org/) is in
development right now. freestyler.ws is an unmaintained copy of userstyles.org

------
yuber
I wonder if Stylish is also able to data-mine the websites you visited while
in incognito mode, since extensions don't work there.

Does anybody have an idea?

------
eurticket
Is there a system in place to update everyone on new ownership changes and
implementation of anti user-good practices like this?

------
seba_dos1
Isn't it a common knowledge? People were massively switching to Stylus long
time ago.

~~~
exodust
I didn't know until today. I'm annoyed because I never noticed the opt-out
checkbox. It feels almost like I've been hacked... my browser history I
thought was my own private business, is actually in the hands of a some
marketing company.

------
pdimitar
Sadly Stylus is not in the Safari's plugins store.

Any alternatives for Mac users?

~~~
kitsunesoba
I’ll have to double check and make sure but as far as I know the safari
version of stylus doesn’t do this — it’s written and maintained by a totally
different developer.

I’m planning to write my own Safari stylesheet extension some time in the
coming months, though, because old style Safari extensions are being phased
out in favor of Safari app extensions and I don’t know if the dev of the
Safari stylish extension plans to make the leap.

~~~
pdimitar
Do you know the name of the extension in the Safari's addons store? I disabled
Stylish the moment I read this article here but I have no replacement.

If you do write such an addon as you said, please advertise it here in HN!

~~~
kitsunesoba
Correction, in my previous reply I meant to say that the Safari version of
Stylish (not stylus) has a different developer and doesn’t appear to share the
Chrome/Firefox extension’s tracking issues.

The code for the safari version is available here:
[https://github.com/350d/stylish](https://github.com/350d/stylish)

With a quick glance it looks to include google analytics, but that’s only used
on the extension’s settings page and doesn’t send browser history or anything
like that. JS isn’t my forte, though, so if anybody else could take a look and
confirm that’d be great.

------
ccnafr
It's not actually stealing if it's in the ToS, is it?

~~~
j88439h84
Yes, it is.

For example,

> TOS agreements require giving up first born—and users gladly consent

[https://arstechnica.com/tech-policy/2016/07/nobody-reads-
tos...](https://arstechnica.com/tech-policy/2016/07/nobody-reads-tos-
agreements-even-ones-that-demand-first-born-as-payment/)

~~~
reitanqild
As someone who used to read TOS and EULAs:

Somewhere around 10 years ago I switched strategy:

I don't read them at all. If anyone wants to sue my defense would be that
nobody in their right mind (sorry younger me) would read that nonsense.

I assume the rules are basically "don't abuse our content or service",

... and I assume that they will sooner or later sell, abuse, leak, or hand
over my data to law enforcement in any country including middle Eastern and
African ones.

------
akerro
Dont google and mozilla review source code of addons?

~~~
mcjiggerlog
Mozilla yes - there's a delay when publishing whilst an actual human reviews
the changes. For Google, updates are instantly published with, as far as I can
tell, no kind of audit.

~~~
fabricexpert
The Mozilla one is great, they insist on reproducible builds and do a thorough
review. Although they can't catch everything, I would pick FF over Chrome all
day for this reason alone.

------
sahin-boydas
Are There any response from Stylish developer?

------
IngvarLynn
"OneTab" is another popular extension with the same issue. Switched to
ff+"tabs aside" since then.

~~~
srgseg
That is absolutely not true. OneTab has never, ever transmitted any
information about your tabs outside of your browser, and will never divulge
them. I'm the developer. OneTab has never made a penny, and absolutely does
and always will deliver on the privacy promise.

