The extension, which has over 1.8 million users, has been silently collecting the browsing history and information of everyone who uses its platform. Uncovered by Robert Theaton, it appears the spyware slipped into Stylish around the same time it was bought by new owners SimilarWeb in January 2017.
The script hidden away in Stylish’s code sends back a user’s complete browsing history to a central server alongside a unique identifier. For those who also have a Stylish account on userstyles.org to download new browser skins, the unique identifier SimilarWeb assign you can then be linked to your login cookie. As Theaton points out, this means SimilarWeb not only has your complete browsing history but it also has the ability to link it with an email address and real-world identities.
Understandably, this sounds incredibly shady – more so when you realise that part of SimilarWeb’s marketing strategy is to “market solutions to see all your competitors’ traffic”. It’s unlikely that SimilarWeb intends to use your personal browsing history maliciously, but its data collection is seemingly further reaching than is really required.
“As far as tracking is concerned, anonymous information like which styles get installed or which sites visited get collected,” ghacks.net reported at the time. “This information powers some of the extension’s functionality such as the ability to reveal styles to users when they visit sites in the browser.”
[Image: Robert Theaton]
However, more digging by Theaton reveals that Stylish’s spyware tracks far more than information around what styles are being used on certain websites in a bid to offer up suggestions. It appears that SimilarWeb is also tracking full page URLs instead of simple domain tracking and it scrapes and sends Google search results you’re being displayed in your browser window.
Staying safe online is becoming increasingly tricky, especially when well over 400 websites are logging everything you type. Thankfully, Stylish does provide you with an option to turn tracking off and use it very much as before. Unhelpfully, it’s an option that’s ticked by default. If you want to not worry about spyware with your browser extensions, you can delete Stylish and move to a similar – spyware-free – extension like Stylus instead.