Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday July 05 2018, @01:02AM   Printer-friendly
from the good-extensions-gone-bad dept.

The web browser extension "Stylish" steals all your browsing history. The change happened after the project had been sold several times and the latest set of owners have supplemented the otherwise very useful code with surveillance capabilities start around January 2017. Currently it aggregates profiles on its users based on their complete browsing activities. The extension's user base had been about 2 million prior to this news.

Before it became a covert surveillance tool disguised as an outstanding browser extension, Stylish really was an outstanding browser extension.

[...] Unfortunately, since January 2017, Stylish has been augmented with bonus spyware that records every single website that I and its 2 million other users visit.

Related: https://bugzilla.mozilla.org/show_bug.cgi?id=1472948
https://www.bleepingcomputer.com/news/software/2-million-users-impacted-by-new-data-collection-policy-in-stylish-browser-add-on/

[Both Google and Mozilla have blocked Stylish as an extension at this point. An alternative extension Stylus was created from the last known version of the extension from the original author. -Ed]

[Update: 20180706_115313 UTC] Per a comment to this story, there is a replacement for stylish available for Pale Moon:

Stylus fork mentioned in TFS is a WebExtension, and old versions of Stylish were also taken down, so finding and installing it would require manual intervention, and searching for last-known-good version.

Luckily, one of the Pale Moon developers created a compatible XUL-based fork, Stylem [palemoon.org] (release thread [palemoon.org]). It directly imports all Stylish userstyles, so just disable Stylish, enable Stylem, restart browser, and that's it. Worked without a hitch.

Earlier on SN: Stylish and Userstyles.org Having Corruption Issues (2016)


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Thursday July 05 2018, @08:38AM (1 child)

    by Anonymous Coward on Thursday July 05 2018, @08:38AM (#702905)

    PM user here, against recommending PM as privacy-friendly tool. There are some bad things going with it. Although it is advertised as more privacy-improved than FF which seems to be true (recent FF likes to connect to some Mozilla's identification server at start-up or pre-fetch history websites without consent), some time ago Author started to do chaotic and unexplainable moves like Mozilla did right before their course change.
    So the first alarm bell was banning a non-malware extension as malware (adNauseam affair).
    The second alarm was limiting support for extension blocking real web's malware (NoScript).
    The third alarm bell was unexplainable resistance to own builds for some BSD distro even after correcting the libraries problem (I understand that license protects against it as using libraries "from the forest" may easily break the software, but reaction was exaggerated).
    Unfortunately currently there is no privacy-friendly browser, maybe except TOR package. And really don't puke with this failed argument about paying for site with privacy. The Internet has been designed the way that EVERY user paid their provider for this nice public_html directory too and users decided to shut this part down, and I won't pay for any clickbait unusable junk made only to make users see more ads (99% of commercial websites, 100% of websites in my country).

  • (Score: 4, Informative) by Marand on Thursday July 05 2018, @04:20PM

    by Marand (1081) on Thursday July 05 2018, @04:20PM (#703047) Journal

    Since you didn't bother providing any useful links for those of us not familiar with these issues, I went looking into a couple of them myself. I didn't bother with the BSD one, but from what I saw about the AdNauseam and NoScript issues, I think you're over-hyping the severity of it a bit. Maybe it's because I'm not a Pale Moon user and thus not personally affected, but from my perspective the decisions related to them makes some sense, even if I don't completely agree.

    First, the AdNauseam addon being blocked as malware [palemoon.org]. He(?) claims its behaviour of generating fake interaction to mess with advertisers is essentially malware. I don't think malware is the correct classification, because it seems closer to things like exploits and DDoS tools used by script kiddies, where you knowingly install and use it to negatively affect someone else, but I do agree that it's intentionally hostile software. Sure, it's to fuck with advertisers, who are scum, but 1) I don't generally agree with the "no bad tactics, only bad targets" mantra and 2) he's right about there being collateral damage to website owners. FWIW, it's not even a hard-coded block; it's using the normal blocklist feature from Firefox that users can choose to opt out of with an about:config setting, at their own risk. So, rather than "chaotic and unexplainable" it sounds to me like it was a reasonable decision made in a way that discourages casual, uninformed use of a "bad" tool without making any strong attempt at stopping determined users.

    Similarly, the blocking of NoScript [palemoon.org] seems like a reasonable stance for the developer to take. I use NoScript, and quite frankly it does tend to break a lot of sites in subtle, annoying ways that require constant tweaking of permissions to get some sites usable. From the perspective of supporting end users, the decision taken there makes perfect sense, because as shown here [palemoon.org] (and the "more information" here [palemoon.org]), it's only recommending the user disable it and allowing easy override at the prompt.

    That's just a cop-out to avoid having to provide troubleshooting and support to clueless "power user" types that install things they don't understand well enough to actually be using, and I completely understand it. Those are some of the worst types to support, because most self-identified power users are perfect examples of the Dunning-Kruger effect [wikipedia.org]. They're convinced they know everything, so they don't bother doing any research or paying attention to what they're doing, and when they inevitably fuck something up they start asking for help because they don't know how to get out of the mess they got themselves into. It's even worse if they think you're obligated to provide support, which means "always unless you explicitly say you don't, and even then they'll usually argue that you owe it to them", so I completely agree with the desire for a small-ish project to be able to limit time wasted on them by saying up-front that NoScript is a "use at your own risk" addon and spending that time on other people that need help.

    Maybe the BSD complaint is legitimate, but so far you've over-hyped two out of three complaints, so I didn't feel particularly compelled to check a third and be disappointed again. The other decisions seem reasonable enough, the person responsible took the time to explain his (mostly reasonable) logic, and neither was done in a way that actually blocks users from having final say in what they do with the software. Much ado over nothing.