Stylish extension exfiltrated browsing history
After SimilarWeb acquired Stylish, official browser-extension updates began silently exfiltrating complete browsing histories. The data included full URLs, search results, and account-linked tracking identifiers.
Story
Stylish was a popular browser extension for applying custom CSS to websites. After SimilarWeb acquired it, official extension updates added analytics code that collected browsing history at a level users would not expect from a style manager.
Robert Heaton's analysis showed that the extension sent full URLs to api.userstyles.org, along with tracking identifiers that could link activity to a user. That meant search queries, private pages with tokenized URLs, and account-specific browsing behavior could leave the browser.
The code was distributed through normal extension stores. Users who installed or auto-updated Stylish received the behavior as part of the trusted package, not through a separate exploit.
Mozilla and Google removed Stylish from their extension stores after the reporting. The record is included because the official distribution channel shipped privacy-invasive code after an ownership change, converting a trusted extension into a surveillance endpoint.
Affected Artifacts
Stylish
- Observed
- 2017-01-01 to 2018-07-04
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Evidence
- domain: api.userstyles.org, observable: Full browser URLs and search results were transmitted with tracking identifiers.
Incident Context
- Motive
- Data Collection
- Attribution
- Maintainer
- Cause
- Acquisition
- Transitive
- No
- Actor
- New owner
- User Impact
- 2000000
External References
- Stylish browser extension steals all your internet historyrobertheaton.com
- Stylish browser extension dropped by Chrome and Firefox after data slurp reporttheregister.com
- Stylish Firefox and Chrome extension banned for tracking browsing historybleepingcomputer.com
Source record: proprietary/stylish/meta.yaml