Hacker News new | past | comments | ask | show | jobs | submit login
“Stylish” browser extension steals all your internet history (robertheaton.com)
484 points by mbaye on July 3, 2018 | hide | past | favorite | 157 comments

This is a huge problem for the extension ecosystem in general. Who originally publishes an extension may not be the same entity that is pushing you updates in two years time, and there's no way as a user to know this.

I publish a few extensions [1] [2] [3] and have been contacted multiple times by companies asking to buy them for several thousand dollars. They told me the going rate was 0.20 USD per user. You can imagine what kind of deals are being made when the extension has a million plus users.

When pushed for exactly why they wanted to buy the extensions, which are in no way monetizable, they gave vague answers about "user insights". I can guarantee there will be many other major extensions that have sold out their users.

[1] https://chrome.google.com/webstore/detail/old-reddit-redirec...

[2] https://chrome.google.com/webstore/detail/break-timer/hklkdb...

[3] https://chrome.google.com/webstore/detail/reddit-comment-col...

It's actually how I became active in the webstore.. Tab Manager was sold to some other company and filled with malware afterwards. It took the webstore team over a year to take it down.

Luckily enough the source code was still on github, and I managed to fork it and improve that version into "Tab Manager Plus" [1]

Since then I've refurbished around 10 extensions and published a few of my own. It's fun, just annoying that malicious extensions aren't getting taken down fast enough, since I suppose not enough people report them.

How to report malicious extensions is also sometimes unclear. Some people think they have to install them first, that's only true for ratings, not reports. For example to report the extension from this blog post you just have to submit this form [2]

For other malicious extensions simply replace the extension id in that link.

[1] Tab Manager Plus - https://chrome.google.com/webstore/detail/tab-manager-plus-f...

[2] Report extension - https://chrome.google.com/webstore/report/fjnbnpbmkenffdnngj...

On the other side of the coin, Firefox makes it quite hard to push updates to users that require more permissions, requiring manual intervention to update. It signifies this with a small muted yellow exclamation mark on the hamburger menu, which is really hard to see.

I've not received my own updates for weeks a few times because I haven't noticed the warning, and about a third of our users are on ancient versions presumably because of it [1].

I think the real solution to this problem is GDPR: massive fines if you abuse your users' trust (and get caught).

I'm not keen on the literal dark pattern that Firefox uses to dissuade developers from requiring new permissions.

[1] https://addons.mozilla.org/en-US/firefox/addon/tridactyl-vim...

Firefox (Chrome) should make it very easy for anyone to audit what extension/plugin are doing.

If url, div, cookies and any other info are collected, what are they?

What server connections are made by the extension, IP, Name, contents of info transmitted?

All the GUI, collection system should be in place as part of JS dev/debug tools already. Just customized it a bit so any tech savvy users can check the audit logs and enable more logging for a plugin if needed.

If an user spots something not right, it is also easy to out the "plugin/extension" on a public forum.

Actually, Chrome does this too:

> Chrome prompts the user if adding the permissions results in different warning messages than the user has already seen and accepted.[1]

[1]: https://developer.chrome.com/extensions/permissions

The thing with Chrome extensions is, many, many extensions already require the ability to interact with every page you visit, which is essentially Chrome extension root. If your extension already requires this, you don't need to add permissions when you update / sell your extension, so nobody is warned.

Firefox is in the right here. I absolutely do not ever want extensions to automatically get new permissions automatically just because I accepted an old version's lesser permissions.

If you want more permissions, then ask for more permissions.

And don't be surprised when people say NO.

Not everyone wants to grant the permissions to your update even if the update fixes bugs in older versions. Not everyone will want your new feature in the first place. Denying permissions is an easy way to eliminate the risk of having to go through and figure out whether or not the new feature is trustworthy.

And if you're not adding a new feature, then why do you need more permissions?

Automatic permission addition is totally unacceptable, agreed. But I do think that Firefox should actually ask, at least once. A vague exclamation point on the edge of the screen isn't really a sufficient way of handling that for extensions a user has chosen to add.

> then ask for more permissions.

I agree with you. As another reply to you states, however, Firefox doesn't currently let me ask. You have to kind of go hunting for it.

> And if you're not adding a new feature, then why do you need more permissions?

Firefox does not let me explain why the permissions are needed. It would be nice if we could have a little blurb where we can state our case next to each permission.

Our current approach is to explain likely upcoming permissions requests in advance and ask our users to stay vigilant for the appearance of the tiny yellow exclamation mark, but that's not very helpful to the third of users stuck on old verions before we learnt that trick.

> And don't be surprised when people say NO.

I think very few of these users have said no on purpose. We ask for (and use) almost everything [1], so any marginal new permissions are unlikely to give us much more power. The current permission model actually makes it tempting to just literally ask for everything because we might want it for a new feature in the future.

The optional permissions are not fine-grained enough to be useful (you can accept all optional permissions, or none) and not available for enough permissions, otherwise we would use them.

Also, the first versions of our software were really slow and bad. I really doubt many people are staying there on purpose. (If there are any Tridactyl users in this thread using an old version on purpose, I'd like to hear from you :) ).

[1] https://github.com/cmcaine/tridactyl/blob/e20a224fb8d8bbb2b7...

Firefox and Chromium are both open source. If you don't like the way it works, then work with the teams to build a better experience.

I can kind of understand that charge when it is levelled about people complaining about Quantum and doing nothing about it, but I already spend countless hours a week working on a replacement for an extension that died because of Quantum.

How much more time can I reasonably be expected to donate? Just trying to find duplicates on the BMO could take ages.

Complaining into the void on the internet takes much less time and makes me feel better :)

Maybe start pointing out how things are far too complex and work to reduce complexity instead?

New permissions shouldn't be taken lightly. One day you'll install an extension that access only on a specific site, and the next day it's requesting access to all your bookmarks, location data, history etc. If you make it into a next next next dialogue box you're implementing an easily abused dark pattern.

A better approach would be to allow extension upgrades, irrespective of permissions. If a user chooses to deny permissions the extension should still work on the latest version.

Why not just return empty datasets to extensions that ask for too much? Empty history, empty address book, white noise for camera and microphones, etc. Then it would be possible not only to ‘accept’ what it does or uninstall, but seamlessly deny what you don’t want.

Yes, agree!

I also have been contacted many times, and offered 1-3k for an extension I have with about 15k users.

The extension has a backend API and web service which is required for the extension to work, not once has a buyer asked about acquiring that. They only want the extension and literally have no understanding of how it works or what it does. Their intent is obvious.

SimilarWeb and Jumpshot are the major clickstream companies that buy these extensions. One way to see whether an extension mines your browsing history is to use a tool like Fiddler to sniff out the outgoing requests.

One sneaky way to get back at them is to send a bunch of fake “poison” requests with fake data back at these guys. It probably wont hurt them but if enough people do it, it might make their data worse and make their operation unprofitable.

This issue stands for apps as well. I once had someone try to buy [1] my popular Android app just to replace it with malware which would then be pushed to users through an innocuous update. What's so interesting to me is that there's no good way to prevent or even detect this.

[1] https://willrobbins.org/a-clever-malware-tactic-and-why-ther...

I realize this is bad, but what happens to the user data exactly? I mean can someone here paint the bleakest, most dystopian possible use or future?

The dystopian scenarios are fun to think about, but realistically speaking what happens is your data is used for market research. The vast majority of it is used to curate your advertising profile more effectively or to generate financial insights about companies based on consumer habits.

In my experience anonymization is hit or miss, but ostensibly always in place.

It gets sold to private investigators and insurers, and you shouldn't have ever Googled for "alzheimer disease symptoms" and you lose your child custody rights after a judge decides what you're looking at on YouPorn isn't sufficiently healthy.

Build a social/interaction graph and fill everything with Ads while selling the same information to intelligence agencies. No discretion. Only money. Nothing personal, it's just business. Sounds familiar? Facebook invented that already.

A lot of people focus on how this information is used by advertisers, which can be a problem, but in my opinion the bigger issue is how data brokers are starting to act like completely unregulated and sometimes highly inaccurate credit reports.

do you mean the data is actually used to determine the credit of a business/individual?

Those two reddit plugins are great, particularly the comment collapse one. I'm used to using the appolo reddit app now and I love its collapse feature (the native reddit one sucks).

Installed and will be using both. Please don't steal my data!

I disagree. Every time an add on is updated in FF I get directed to the patch notes. RTFM.

This is absolutely not universally true.

I've gotten annoyed enough to just copy the source from most of my extensions (located at `~/.config/google-chrome/Default/Extensions/`), remove the update stuff from the `metadata.json` and load them as developer extensions so they never update.

It's easy enough to update them + audit the code when something breaks. The hardest part is downloading the new code (.crx) without installing it, I had to write javascript I paste into the console. StackOverflow can unzip a crx by striping the first 306 bytes.

I forked Stylish v1.5.2 a year ago before I heared of Stylus, but I've no need to to switch since the original extension was pretty good. https://github.com/Zren/chrome-extension-stylish#fork

Would recommend this extension: https://chrome.google.com/webstore/detail/chrome-extension-s...

Allows to easily audit and download the extension right from the Web Store page.

You can extract the .crx without Javascript using this webservice: http://crxextractor.com/

Used it a couple of times in the past, it is a good one.

All you need to do is remove the first 306 bytes to turn it into a normal zip file.

    tail -c +307 in.crx > out.zip
Credit to this guy in the comments. https://superuser.com/questions/139190/how-to-unpack-a-chrom...

I'm glad that workflow works for you.

I'm curious though - What about it is better than turning off automatic updates for addons?

Last I checked, there is no option to turn off automatic updates. Maybe that's changed.

Interesting - It looks like Firefox has an easy option to block them, but I don't see one in Chrome.

Offices in the UK. I would encourage anyone in the EU who used this to file a GDPR complaint.

look here to find out where you can file the complaint in your local country:


From their Privacy Policy:

"Where provided under applicable law (such as within the European Union), you may have the right to ask us to delete Personal Information which you have provided to us [... ] contact our Data Protection Officer at: dpo@userstyles.org."


That's nice for them. I also have the right to refer them to my local data commissioner though, about the absolutely lack of meaningful consent they gathered from me here. I hope their investors get taken to the cleaners by the resulting fines.

That still isn't GDPR compliant, because it's forced consent, which is no consent.

Data collection by default. They don't even ask to "opt in". Hopefully they will pay enough in EU to learn.

Quickly though.

GDPR applies for all users located in the EU, not only to companies headquartered in the EU, so Brexit is not that much of a concern here.

Also, the transition period will bind the UK to most EU laws for a few more years.

It is already in U.K. law, in any event:

* http://legislation.gov.uk/ukpga/2018/12/contents/enacted/dat...

That isn't the GDPR, although it is related.

The GDPR is UK law automatically because it is a Regulation, not a Directive (which needs to be transposed into national law).

The Data Protection Act 2018 implements the Law Enforcement Directive (as the GDPR excludes that from its scope) and a couple of minor derogations (such as changing the age of consent for children to use websites by themselves to 14).

I thought the UK left the EU after havin negotiated the deal in an afternoon.

As others have said, immediately switch to Stylus. While we're at it stop using Ghostery as well since they were bought by an ad company. Use Privacy Badger or a decent alternative (noscript + heavy/custom uBlock lists should work just fine)

If you dont want the heavy handed solution that NoScript provides, i would suggest "uBlock Matrix".

There are two, similar, though different, extensions.

uBlock origin is a dedicated, quite-good, low-fuss, ad blocker.

uMatrix is a much more general, very powerful, though somewhat fussy, general Web capabilities manager. If you don't mind fiddling with sites periodically, it's very strongly recommended, but for user populations who don't do this or grasp technology poorly, it will require some fairly close managing, _especially_ if the user base doesn't report problems and just accepts "the site is broken".

I'd highlighted my preset recommended set of browser extensions for 2018 a couple of weeks back. The hero image is uMatrix's control interface.


> for user populations who don't do this or grasp technology poorly, it will require some fairly close managing

I would never have imagined installing it for non-technical users, but one was interested in giving it a try and had no problem. They even said they really liked learning how the web worked (uMatrix shows a grid (the matrix) of hosts and functionality, such as CSS, images, scripts, media, etc.). So I gave it to another non-technical user, and they also like it.

Both have been surprised to see the number of domains that contribute to one webpage (most users assume it's all from the domain they typed into the URL field), and how often Facebook, Twitter, Google Analytics, and other tracking domains show up in that matrix.

If the site loads tons of crapware then the site is broken regardless of whether or not uMatrix blocked things.

If you've not been paying attention or specifically trying to counter that trend, you'd be amazed at how complex a typical site is. Even those which otherwise appear clean.

I appreciate the sentiment but indeed I know very well how complex a typical site is. Unfortunately I think a very large portion of most websites are far too complex for what they provide.

Agreed on that last.

I think it's just "uMatrix".

It is, my bad.

How does that compare to uBlock Origin?

While we're at it stop using Ghostery as well since they were bought by an ad company.

Ghostery invites you to submit various data to support it these days, but seems to be transparent about it and to work on an opt-in basis, so quite different to Stylish. Are you aware of other things that Ghostery is doing without the same transparency and consent?

Ghostery can replace scripts like Google Analytics with stubs that expose the same API but don't do anything. Last time I checked, NoScript/uMatrix can only outright block those scripts from loading, which breaks some poorly-coded sites.

Honestly, the only reason I had Stylish installed was because multiple people on HN recommended it. So you'll excuse me if I don't "immediately" switch to the next random recommendation, especially if it comes with the reason that others in this thread are recommending it too!

BTW your characterisation of Ghostery's relation to an "ad company" is incorrect. It's an odd enough situation that I'm not using it any longer but they didn't get "bought by an ad company". Unless something new happened to them, in which case, please provide a link.

Have you tried Dark Reader? I was using Stylus for dark theme only.

I'm aware of Ghostery's data-scavenging, and not happy that it's opt-out (GDPR noncompliant), but it can be disabled.

It's on my flagged list, but remains installed.

uBlock Origin can also make style changes to webpages with :style(), it might be good enough for you if you don’t need too many changes.

I discussed this problem (in a bit inflammatory way) last month: https://news.ycombinator.com/item?id=17242003

It's particularly annoying, because I do have this Stylish extension installed (using css ::after rules to tag HN users)

EDIT: You can submit an abuse report when uninstalling a Chrome extension.

Sort of ironic sending an abuse notification to a company that does precisely the same thing on a much vaster scale. And I would assume that the T&C for the new and improved Stylish that you accept when you install it informs you that you are giving them permission to do this, so there isn't even any abuse to complain about here.

I had this extension installed for years, from back when it was "still good". I don't recall ever seeing a T&C prompt, and in the last 3-4 years I've become quite vigilant about always reading full T&C texts (much to the amusement of others).

I was put in this tracking program without my consent.

This reminds of the "WOT, Web of Trust" (haha) privacy issue in 2016: Reporters (disguising as business men) were offered data that includes the surfing habits of three million German citizens. This data was, at least partly, collected by the “Web of trust” (WOT) browser extensions. The reporters were able to use this data to identify the browsing habits of individual persons – including high-ranking German and EU politicians.

English: https://ocr.space/blog/2016/11/wot-browser-extension-collect...

Indeed. I never trusted it. I never trust any feature or add-on that uploads anything. That includes malicious site detectors. I only use stuff that relies on local databases.

Any recommendations on malicious site alternatives?

I'm still looking to update my router (Turris Omnia) to use DNSMasq rather than Knot Resolver, which may offer an edge on DNSSec capabilities (though I believe this has lapsed), but is far less capable of being locally customised along the lines of DNSMasq.



Google needs to take action here. From requiring re-confirming permissions every time a significant privacy policy change is made, or just by nuking SimilarWeb altogether from the web App Store.

I can already see the followup HN news: "Google attacking developers on Chrome Web Store and breaking free web!"

In case you weren't aware of how prescient your comment is:


Yeah one thing Google doesn't do is collect info about what you do on the internet and sell it to other people.


More seriously: if Stylish concerns you, Chrome should too.

Google indeed doesn't sell info to other people. (It does collect it though.)

Is there a definitive list anywhere of what Chrome collects and where it goes?

There have been rumours forever, but I'm interested in verifiable facts.

If you're logged in, which Chrome strongly encourages, it's your entire browsing history. See the URL above.

Thanks, but what I'm really trying to ask here is what a vanilla Chrome installation does. If someone just installs Chrome, leaves all settings as defaults, and doesn't opt in to anything, what data is being sent back to the mothership? I've never managed to find a convincing answer to that question.

It collects it for the purpose of building a better advertising profile of you- so it can make more money from ads. It’s still using my data about me and making money off of it.

Not to complain about downmodding - I can afford to loose the karma - but this threads a little unusual in terms of comments summing up Google's business model (which most people on HN should be aware of) going from highly upmodded to highly downmodded.

Good point, I should say sell /access to/ (via DoubleClick, AdWords and their other sources of revenue)

It took me less than a minute to install Stylus and import all my userstyles from Stylish.

The headache for me was that the stylesheets are transferred, but the applied domains are not.

I've got a system where I use a set of standard styles applied broadly against many sites.


Annoyances -- applied globally to all websites by default: https://pastebin.com/raw/GrE9KX6D

Local Gifs: https://pastebin.com/raw/tn7cqGtJ (Exceptions to global gif filtering)

The following break on many sites too much to be applied as default, but can be used fairly generally to selected sites as needed.

Animations blocking: https://pastebin.com/raw/7Gjxj6AT

Headers / Footers: https://pastebin.com/raw/PsXWhUGf

Popups / Overlays blocker: https://pastebin.com/raw/VcgNNwDp

"Unstyled" CSS: what I apply to unstyled / minimally styled pages: https://pastebin.com/raw/rtfev3vj

For development / testing / debug:

Debug CSS: https://pastebin.com/raw/Z3kFrRQy

(Highlights class/id and entities in page.)

You must have done something wrong, of course the applied domains are also transferred. Maybe you didn't use the export function but just copied the source?

One of those (either annoyances, headers, or popups) broke a fork of Stylish. I'd click on the icon in the toolbar and the drop-down wouldn't appear. I noticed the user style also broke AWS navigation.

None of those sheets except for Annoyances should be applied globally.

I don't guarantee Annoyances won't break other things, but I do guarantee that the others will.

Assign the to a nonexistent URL or domain initially, or disable them.

If you've got specific bugs with the Annoyances sheet ... I may be able to address them.

My usual first-stop debugging tools are adding either an outline or background colour to an element:

    outline: solid 2px red;
    background: #faa;
... which tends to show what rule(s) are being triggered. If something breaks, add those rules, and disable the "display: none;" one.

I'm also finding that the shift to "display: flex;" styles is breaking some of my assumptions. It's no longer safe to presume that everything is displayed as one of block, inline-block, or inline.

Position directives are also problematic: initial, static, relative, absolute.

That said: I've evolved those styles over a few years, and they tend to work reasonably well. Some nursemaiding required.

Always the same cycle.

1/ New great product is built. People love it.

2/ Once enough people use it, start monetizing in shady ways, annoying users just not too much or they leave.

3/ Very annoyed users switch to another product back to 1/

Small correction:

1/ New great _free_ product is built. People love it.

Image and file hosting services and messengers are the best examples.

I swear it's because the well has been poisoned and it's just impossible to monetize these services in a moral way.

This is absolutely not confined to free products. I did security audits for companies and part of that job was giving a go ahead before we allowed people to install software on their devices. Free software behaved much better than paid software by a wide margin.

shouldn't have needed it in the first place. what happened to pointing to a css file.

True. Userscripts and userstyles should be a part of the browser itself. Userstyles were at some point, AFAIR, at least on Firefox.

Most browser extensions seem to require access to one's browsing history and keystrokes, even for legitimate functioning. Is there any way to ensure that they do only what they claim to do, and don't abuse the permissions? (Apart from verifying the source code, because clearly, lines of junk code >> interested eyeballs).

For example, would it be reasonable to enforce that an extension only acts locally, and cannot communicate with any external server? (I guess allowing arbitrary local modifications essentially allows the extension to execute arbitrary javascript code, including communicating with arbitrary remote entities?)

Yes, it's very hard to block that, since even if you block XHR from their JavaScript code, by changing the page DOM they can inject elements that communicate with a server.

Does NoScript detect connections by other add-ons to remote servers?

I do see in https://noscript.net/faq

> ... Firefox extensions are written in JavaScript too and NoScript doesn't block scripts living outside web pages (i.e. the browser components, included extensions) ...

For those actively using Stylish and needing to switch:

'"Stylus" is a fork of the popular Stylish extension which can be used to restyle the web. Not "ish", but "us", as in "us" the actual users. Stylus is a fork of Stylish that is based on the source code of version 1.5.2, which was the most up-to-date version before the original developer stopped working on the project. The objective in creating Stylus was to remove any and all analytics, and return to a more user-friendly UI. We recognize that the ability to transfer your database from Stylish is important, so this is the one and only feature we've implemented from the new version.' [1]

[1] https://add0n.com/stylus.html and https://github.com/openstyles/stylus

Tampermonkey seems to be a good alternative as well and is available for all major browsers.

Does anyone have information on if the Safari Stylish Addon does the same shady things? It's available in the official App Store and was approved by Apple it seems.

I was curious about this too. The source is on GitHub (https://github.com/350d/stylish), but who knows if Apple checks that they're the same when they're approving it.

Edit: I should note that it collects analytics, but it can be turned off in the preferences. I don't remember if it's on by default, but I suspect it is.

Yes, the option is called "Collect anonymous usage statistics" and is turned on by default. But I don't trust it anymore.

Tampermonkey is here BTW: https://tampermonkey.net/?browser=safari

I really love that one, it does a great job in Safari. Unfortunately, there is no Safari App Extension yet. Since I'm running Safari Preview and Safari 12 does not accept extensions from unknown sources anymore I'm out for now.

Looks like the extension has already been removed from the store.

Meanwhile a simple and open source bookmarking extension was taken down with no notice, no information (https://news.ycombinator.com/item?id=17440358).

Well, shit. I installed this extension a few months ago, because multiple people HN recommended it.

Tried it out, but found a different way to restyle and adjust sites to my tastes (uBlock and custom Greasemonkey) that I found easier. Then forgot about it.

And now it turns out this thing has been slurping my Internet history for months.

No downvotes, nobody calling them on it, just happy oblivious HN users that carelessly install random browser extensions and then recommend them to other people. Urgh.

This has been going on for years and Google has done nothing about it. These days I don't use any extensions where a major organization's reputation doesn't depend on them not becoming spyware. Truly a shame; I used to get a lot of benefit out of extensions, including a similar one named Stylebot, but now I don't trust anything other than Adblock Plus and the React Developer Tools to not covertly become malicious.

You probably shouldn't trust AB+ either (but switch to uBlock instead)


For reasons I do not recall now, you should use uBlock Origin instead of uBlock as well. The former is often what people are referring to anyway, but worth mentioning.

Dark Reader (which generates dark themes dynamically) added support for static CSS so that style sheets could be migrated http://darkreader.org/blog/stylish/

Dangit - I just installed it yesterday to block Twitter's annoying timeline additions ("So-and-so liked such-and-such") which don't honor the account's word filter/blacklist. Any alternatives out there that are better?

Stylus, as mentioned in the article:


Dark Reader (which generates dark themes dynamically) added support for static CSS so that style sheets can be migrated http://darkreader.org/blog/stylish/

10 months ago, I discovered and recommended stylish on a post titled: "Show HN: Make Medium Readable Again"[0]. I have only ever used it for a single site: medium.

It's times like these I wish I could go back and edit/update an old post with new info. I feel like I got stabbed in the back... which happens way too often in tech these days no matter how careful you are.

[0] https://news.ycombinator.com/item?id=15123638

In what is certainly a complete coincidence, the Stylish Firefox extension threw up an "agree to our new TOS 'effective May 22, 2018.'" modal for me today..

It appears Firefox has already moved on this. Came home today and was warned that Stylish was an unsafe extension, and I can no longer find it listed as an available add-on.

I actually ran into this issue previously when for some reason I got a request on a `hidden` (very cryptic URL listed nowhere) diagnostic endpoint on one of our APIs. I ended up identifying stylish as the culprit, at first I disabled the tracking option (which is opt out and probably violates GDPR), a few weeks later I installed stylus.

I also reported it around the same time and gave it a 1/5 star rating but google had no interest in the report it seems.

I've been lucky enough to have never had an extension installed when it was sold, so I don't know that this isn't already the case, but if it isn't, I believe it should be: Whenever an extension changes hands (is transfered to another account), the user should be notified in the same way they would be if it requested new permissions. Along with a rule that accounts are non-transferable, of course.

tl;dr: Use Stylus [1]. Use Stylus. Use Stylus.

I guess there should be an addon that notifies users for any ownership changes to browser addons they use. Or is there?

[1] https://github.com/openstyles/stylus

And also keep a separate browser profile without ANY extensions for doing your banking and other financial work.

This extension disables any updated extension that requires new permissions, among other niceties: https://chrome.google.com/webstore/detail/extensions-update-...

(I'm only a user)

I thought chrome did this automatically now.

Or don't. because it depends on openstyles.org which is also owned by SimilarWeb.

Firefox lets you know when addon changes permission between versions. You are prompted to accept the new permissions before upgrading the addon. This has been helpful in weeding out addons that become too data hungry.

Sometimes extensions plan such things a long time ahead - for example this extension https://chrome.google.com/webstore/detail/bitcoin-litecoin-e... injects itself currently into all websites, and sends the url back to its own background page.

So once they are ready to add malicious code in the future to pass that information somewhere else, no permission changes will be required.

Before downloading any extensions, I usually inspect them quickly with https://chrome.google.com/webstore/detail/chrome-extension-s...

Most important parts are "manifest.json" and then if defined then content scripts that match catch all urls and "https://*/*" / "http://*/*.

Thank you for the information. Very helpful.

Yep switched a few months back last I heard about Stylish being bad, and never looked back. It works very similarly and you can import/export all your stuff so it's super easy to switch.

They do have to make you agree to the new TOS, so just make sure to at least skim any plugin popups/pages that come up after an extension update.

Before uninstalling stylish, consider visiting its webstore page and rating it 1-star so that upcoming users know it's not a great extension.

You can report abuse without installing, so that's an option too.

Found same issue with Pricee the other day, not sure how to report: https://addons.mozilla.org/en-US/firefox/addon/pricee-search...

The culprit in question tried to do the same thing to a Voice Search Chrome extension in the past[1].

[1] https://twitter.com/sephr/status/1014240895095300096

Ugh! After so many years, I now have to view a white-themed internet again. I forgot how painful and blindy websites are!

Pls redesign the whole internet to be dark themed, so we dont need add ons like this to fix the world. Thanks!

So it boils down to trust anyway. No way a code signing certificate can impose that trust. At the end of the day, it all goes back to human stance towards other beings in this world and own dignity.

Since "youtube-dl does not include support for services that specialize in infringing copyright", is there a fork, or addition, without this restriction?

Is there an alternative to userstyles.org for hosting styles? That site is run by the Stylish folks, and I have removed my account and styles from it.

Not really. Though, https://openusercss.org/ is in development right now. freestyler.ws is an unmaintained copy of userstyles.org

I wonder if Stylish is also able to data-mine the websites you visited while in incognito mode, since extensions don't work there.

Does anybody have an idea?

Is there a system in place to update everyone on new ownership changes and implementation of anti user-good practices like this?

Isn't it a common knowledge? People were massively switching to Stylus long time ago.

I didn't know until today. I'm annoyed because I never noticed the opt-out checkbox. It feels almost like I've been hacked... my browser history I thought was my own private business, is actually in the hands of a some marketing company.

Sadly Stylus is not in the Safari's plugins store.

Any alternatives for Mac users?

I’ll have to double check and make sure but as far as I know the safari version of stylus doesn’t do this — it’s written and maintained by a totally different developer.

I’m planning to write my own Safari stylesheet extension some time in the coming months, though, because old style Safari extensions are being phased out in favor of Safari app extensions and I don’t know if the dev of the Safari stylish extension plans to make the leap.

Do you know the name of the extension in the Safari's addons store? I disabled Stylish the moment I read this article here but I have no replacement.

If you do write such an addon as you said, please advertise it here in HN!

Correction, in my previous reply I meant to say that the Safari version of Stylish (not stylus) has a different developer and doesn’t appear to share the Chrome/Firefox extension’s tracking issues.

The code for the safari version is available here: https://github.com/350d/stylish

With a quick glance it looks to include google analytics, but that’s only used on the extension’s settings page and doesn’t send browser history or anything like that. JS isn’t my forte, though, so if anybody else could take a look and confirm that’d be great.

Freestyler might work. https://github.com/openstyles/stylus/wiki/Stylish-Alternativ... Don't know if it's maintained and can be trusted.

Use a real browser ? But (bad) joke aside, could you not use multiple browser instead of the just the one ? Stylus and Dark Reader are both available for Firefox and Chrome/Chromium.

Firefox's ability to transparently sync tabs between all your devices is useful but it's not up to speed with Safari's -- sometimes it takes MINUTES for it to sync.

I'd argue with you about what a "real" browser is all day but really, it boils down to -- I am not interested if the latest standards are implemented. Those latest standards are made by regular humans, and they do dumb crap all the time. So "newest" =/= "best".

I quite like Safari's Reading mode and Reading list (especially having in mind that it can cache offline things you put in the reading list; you can read all of those without internet).

I will concede however that it's definitely very behind in terms of addons. That's a weak point. And Firefox gets better and quicker constantly.

TL;DR: I use both Safari and Firefox heavily and I love both. But Safari is little better in terms of information management.

It's not actually stealing if it's in the ToS, is it?

Yes, it is.

For example,

> TOS agreements require giving up first born—and users gladly consent


As someone who used to read TOS and EULAs:

Somewhere around 10 years ago I switched strategy:

I don't read them at all. If anyone wants to sue my defense would be that nobody in their right mind (sorry younger me) would read that nonsense.

I assume the rules are basically "don't abuse our content or service",

... and I assume that they will sooner or later sell, abuse, leak, or hand over my data to law enforcement in any country including middle Eastern and African ones.

Dont google and mozilla review source code of addons?

Mozilla yes - there's a delay when publishing whilst an actual human reviews the changes. For Google, updates are instantly published with, as far as I can tell, no kind of audit.

The Mozilla one is great, they insist on reproducible builds and do a thorough review. Although they can't catch everything, I would pick FF over Chrome all day for this reason alone.

Are you sure about that? AFAIK there is just an automatic validation system. I am an extension author myself and this is from a recent update approval email:

"This version has been screened and approved for the public. Keep in mind that other reviewers may look into this version in the future and determine that it requires changes or should be taken down. In that case, you will be notified again with details and next steps."

Perhaps this also depends on the number of users...

Back in 2015 when Detectify (me being co-author) looked into this issue [1] many plugins do not actually have this code in the extensions, but rather a feature to download remote code and add it to the extension so to say. As long as that practice is allowed, source review would not help.

[1] https://labs.detectify.com/2015/11/19/chrome-extensions-aka-...

AFAIK this isn't allowed in firefox extensions

It still isn't.

Are There any response from Stylish developer?

"OneTab" is another popular extension with the same issue. Switched to ff+"tabs aside" since then.

That is absolutely not true. OneTab has never, ever transmitted any information about your tabs outside of your browser, and will never divulge them. I'm the developer. OneTab has never made a penny, and absolutely does and always will deliver on the privacy promise.

Really? This is getting out of hand. I found to be using at least several of the extensions mentioned here that I wasn't aware were stealing user data.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact