Trust a Browser Extension Because Millions of People Use it? It’s Probably Watching You All the Time and Stealing Your Internet History
A popular Chrome and Firefox browser extension has turned out to be spyware. Stylish is famous for enabling users to modify how web pages appear in Chrome and Firefox. From dark themes to user-designed skins, the extension promises to help you color the internet your own way.
However, it has also been bringing spyware that records every website that its 2 million users visit, reveals Robert Heaton, a software engineer. "Stylish sends our complete browsing activity back to its servers, together with a unique identifier," Heaton writes.
This allows its new owner, SimilarWeb, to connect all of an individual’s actions into a single profile. And for users like me who have created a Stylish account on userstyles.org, this unique identifier can easily be linked to a login cookie. This means that not only does SimilarWeb own a copy of our complete browsing histories, they also own enough other data to theoretically tie these histories to email addresses and real-world identities.
This shouldn't come as a surprise, though. The browser extension gets access to everything you do on the internet to be able to remove features that you don't like. Looking at how much your internet activity means to advertisers, it shouldn't shock anyone to find out that someone has been selling you out.
Not the first popular browser extension that isn't good at security
While Stylish originally helped its millions of users to try to personalize web pages without spying on them, it was sold to SimilarWeb, an analytics company, in 2017. As a developer commented, most of these acquisitions are made just to gain access to user data and their online activity. Extension developers get the money and the new company is in for surveillance purposes.
"This is a huge problem for the extension ecosystem in general," one developer commented. "Who originally publishes an extension may not be the same entity that is pushing you updates in two years time, and there's no way as a user to know this."
I publish a few extensions and have been contacted multiple times by companies asking to buy them for several thousand dollars. They told me the going rate was 0.20 USD per user. You can imagine what kind of deals are being made when the extension has a million plus users.
Once these extensions are acquired by another company - an analytics firm at that - it is difficult to expect the new people to have the same values that might have originally helped the extension get users on some of the world's most popular browsers.
SimilarWeb also had no interest in customizing websites or helping users get rid of the portions of the web pages they didn't like. The company was only interested in getting access to an extremely popular extension that was given excessive permissions by their users. Add a little spyware to the mix and they basically struck oil.
"It’s not news that browser extensions can be a security nightmare," Heaton writes. "It’s not even enough to trust an extension’s current, benevolent owner. Even the benevolent have to make a buck eventually, and quiet sales to organizations like SimpleWeb are not uncommon."
The best practice? Avoid extensions even if they promise convenience or cool new design makeovers. Even if you trust the original developer, you can never know what happens after the management changes. While at it, uninstall Stylish if you haven't already.