Browser extension Stylish phones home with urls you visit
July 5, 2018 7:04 AM   Subscribe

The web browser extension Stylish can help you customize the CSS of any page you visit. By default, it also sends the url of every page you visit, along with an ID unique to you, to its new owner.

After this became more widely known in the last few days, Google and Mozilla pulled the plugin from their stores.

Alternatives to Stylish exist, but if you don't want to switch, you can opt-out of remote tracking in the extension's settings.
posted by Jpfed (26 comments total) 8 users marked this as a favorite
 
(Some discussion already about this in MetaTalk)
posted by Jpfed at 7:08 AM on July 5, 2018


I read in one of the stylish articles that Mozilla plans to force-disable the addon worldwide in browsers soon, so if anyone depends on it working, be careful to replace it before that happens (whenever it does).
posted by crysflame at 7:12 AM on July 5, 2018 [1 favorite]


I think it's interesting how this story is spreading now. We knew back in June 2017 that Stylish was malware. And yet it kept being on the "curated" addon stores from Mozilla, Google, etc for a year+; they only pulled it yesterday.

Clearly the defenses aren't working.
posted by Nelson at 7:31 AM on July 5, 2018 [14 favorites]


Violentmonkey (a modern reworking on the Greasemonkey idea) is a userscript plugin and it's capable of injecting CSS (even though its primary purpose is injecting JS) into pages, which makes it functionally-comparable to Stylish.

But it's open-source, so if it "goes evil", you can always just switch to the "good" fork and carry on.
posted by avapoet at 7:47 AM on July 5, 2018 [1 favorite]


Have not looked at the code but did wonder if the "terms of service" explicitly gave the company rights for the data upload? (all in clear legalize language carefully crafted for the ultimate obfuscation)
posted by sammyo at 7:53 AM on July 5, 2018


I think it's interesting how this story is spreading now. We knew back in June 2017 that Stylish was malware.

I saw the Robert Heaton story on hackernews a couple days ago, but when I went digging for other links, it became clear that this has been a thing for a while. Why didn't it spread sooner?

After Justin Hindman acquired it, he didn't immediately join SimilarWeb; that happened a year later. I wonder if that delay may have spread out the stories about Stylish enough to avoid any sort of viral threshold...? Or whether the forums on which this was originally discussed were too obscure to hit the big aggregators?
posted by Jpfed at 8:00 AM on July 5, 2018 [1 favorite]


Stylus appears to be a safe fork of Stylish from the last release version of Stylish. Currently trying it out with the comment differentiator style and it at least seems to work.
posted by Samizdata at 8:01 AM on July 5, 2018 [1 favorite]


Yeah, this has been the case for over a year now. The Stylish extension and the accompanying website, userstyles.org, were sold to similarweb, which is a "suck up your data and sell it to the highest bidder" company. The previous owner (Justin Hindman) of the site and extension (who was not the original owner, btw) disingenuously tried to pass off his decision to sell to them as "oh this got too big for me, now that similarweb are buying it, they'll be able to improve the addon and website", instead of the patently obvious cash grab it was. The very first thing they did was completely destroy the functionality of the website, by removing the ability to filter search results by date or popularity. So now if you search for a style for a particular website, you get a random mishmash of broken styles from eight years ago, sprinkled in with relatively new styles here and there. You also get styles that have nothing to do at all with the site you searched for. It's a huge mess.

I've long since switched to Stylus, an open source fork of the original Stylish addon from before it was sold to a spyware company. As for styles, I rarely install new ones now, because the userstyles website is now impossible to search, and no viable replacements have since presented themselves.
posted by katyggls at 8:14 AM on July 5, 2018 [1 favorite]


Debian packages this addon and it was reported there in January 2017 with never any followup by the team that was supposed to be maintaining it.
posted by joeyh at 8:17 AM on July 5, 2018 [4 favorites]


My first thought was, why on earth do people need to customize the look of web sites they visit? Surely we can all cope with some ugliness beyond our control? Then my second thought was that this type of extension could easily be a kludge used by people for accessibility reasons, because ugly can actually mean nonfunctional for some people; and suddenly sympathy returned.

To me this is the scariest line: “It’s not even enough to trust an extension’s current, benevolent owner.” I don’t keep tabs on the ownership of the extensions I use. Maybe I’m supposed to? Trust has become such an exhausting obligation.
posted by eirias at 8:23 AM on July 5, 2018 [6 favorites]


Debian packages this addon and it was reported there in January 2017 with never any followup by the team that was supposed to be maintaining it.
I've never been sure why Debian packages browser add-ons in the first place. They are invariably miles out of date, and unless the resources are there to backport security fixes to whichever version is included in Debian, you're going to have add-ons full of security holes in the repos.

I can't think of a scenario where a Debian user would need to get a version of an add-on from the Debian repo rather than just getting the latest from the browser's add-on 'store'.
posted by winterhill at 8:27 AM on July 5, 2018 [6 favorites]


the post is tagged 'safari' but as far as i know the stylish safari plug-in is a fork by an outside dev, and as far as I know isn't affected, right?
posted by and they trembled before her fury at 8:29 AM on July 5, 2018


I caught this news day before yesterday, and read the MetaTalk as well. I'm glad to see it on the blue. When I notified the only friend who I know was using it, she told me that she wasn't actually visiting the website for which she had installed it anymore, so it wasn't a big deal to uninstall it. What bothered me is that her response to it was a low key "Well I guess it's good that I'm boring." Though to be fair, I may not have explained it clearly.

I am thankful that when I asked for customization help kiripin handed me Stylus. I use it on both of my online community websites, but only with styles that I've made myself. Without the ability to change how the website from the question looks, I would not be able to participate there. For Metafilter, I just get rid of the 3 pixel contrast at the top of the screen in the Modern theme dark mode. But that makes it possible for me to use a dark browser theme instead of one that reduces the contrast of the bar to avoid it being visually painful. It seems like such a small thing, but it makes a world of difference to me.

About the tracking, well, I might be even more boring than my friend, but I still dislike being a uniquely indentifiable data point unless I knowingly agree to it.
posted by monopas at 8:35 AM on July 5, 2018 [1 favorite]


the post is tagged 'safari' but as far as i know the stylish safari plug-in is a fork by an outside dev, and as far as I know isn't affected, right?

You're right; I've removed the Safari tag.
posted by Jpfed at 8:42 AM on July 5, 2018 [1 favorite]


When I notified the only friend who I know was using it, she told me that she wasn't actually visiting the website for which she had installed it anymore, so it wasn't a big deal to uninstall it.

You might want to try explaining it again to your friend. If they have the Stylish extension installed at all, it is sending her entire browsing history to similarweb, even if she never visits a site for which she has a userstyle installed.
posted by katyggls at 8:55 AM on July 5, 2018


I think the friend meant that it wasn't too big a deal to uninstall Stylish? I know that was my response, too - I only had it installed for styles on a site I don't use anymore.
posted by sagc at 8:59 AM on July 5, 2018


Is Stylish in violation of GDPR? That could make it verrrry interesting, legally.
posted by ardgedee at 9:08 AM on July 5, 2018 [3 favorites]


What a quarter century's worth of free-market mayhem won't do to a simple network.
posted by Fupped Duck at 9:39 AM on July 5, 2018 [2 favorites]


Is Stylish in violation of GDPR? That could make it verrrry interesting, legally.

It (and other plugins like it) certainly can and will wreak havoc on site functionality and accessibility.
posted by grumpybear69 at 9:53 AM on July 5, 2018


...point of these plugins is to FIX functionality and accessibility. Like sites that use poor contrast for fonts, or sites that are mostly OK except for one obnoxious element, etc... you can override page styles for an individual site using browser controls, but it's an all-or-nothing approach. Customizing the rules to a specific site can ease pain for the reader.
posted by caution live frogs at 10:11 AM on July 5, 2018


Horrible contrast seems to be the current twee for self-styled weblogs these days. And I have a tab open to an NPR page that inexplicably doesn't have a max-width for body text.
posted by GenderNullPointerException at 11:38 AM on July 5, 2018 [3 favorites]


Yeah, browser extensions are such an iffy proposition. The ones I use, I tend to keep off by default and then turn on only when I need them.

If uBlock Origin ever goes evil, I'm really screwed.
posted by gwint at 11:51 AM on July 5, 2018


Correction, max-width on the NPR site is set to 100%, so on a widescreen monitor I get very long and thin paragraphs of text across the entire screen.
posted by GenderNullPointerException at 12:04 PM on July 5, 2018 [1 favorite]


It (and other plugins like it) certainly can and will wreak havoc on site functionality and accessibility.

The GDPR issue would be whether SimilarWeb is storing user information without their consent (narrator voice etc).
posted by Jpfed at 7:25 PM on July 5, 2018 [1 favorite]


disingenuously tried to pass off his decision to sell to them as "oh this got too big for me, now that similarweb are buying it, they'll be able to improve the addon and website", instead of the patently obvious cash grab it was

That's the power of selling out!

I can't think of a scenario where a Debian user would need to get a version of an add-on from the Debian repo rather than just getting the latest from the browser's add-on 'store'.

Reason I do it, as our household's sysadmin, is so I can be sure that uBlock Origin and NoScript get installed and updated across all user accounts on all our computers without my having to do anything beyond the usual apt upgrade to make that happen.

If uBlock Origin ever goes evil, I'm really screwed.

Now might be a good time to adopt a little defense in depth.
posted by flabdablet at 8:06 AM on July 6, 2018 [1 favorite]


I am a Waterfox user who got a message saying Stylish was no longer safe to use. For what it is worth, I was able to export my extensions out of it and into Stylus with no issues.
posted by koucha at 10:41 AM on July 6, 2018


« Older “What if the fault lies in the nature of the...   |   Would you rather be told to smile or to calm down? Newer »


This thread has been archived and is closed to new comments