Hi users of Stylish,
It appears that the Stylish extension (based on the code in this repo) has gained tracking code. Using Rob's excellent CRX Viewer I noticed some fishy code in src/background.js that was loaded on startup and code that was injected in every Google search page. Effects:
- The full URL of all open tabs and all pages you visit.
- The titles, URLs and of every Google search result
Recommended steps:
- Remove the Stylish extension (Firefox should already have disabled the extension)
- (Optional:) install https://github.com/openstyles/stylus as replacement
Proof: https://twitter.com/Lekensteyn/status/1014307299475763201
More details:
https://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/
https://bugzilla.mozilla.org/show_bug.cgi?id=1472948
Relevant extract for the first issue (src/background.js):
chrome.windows.getAll({
populate: true
}, function(windows) {
for (var w = 0; w < windows.length; w++) {
for (var i = 0; i < windows[w].tabs.length; i++) {
if (!isRealUrlAddress(windows[w].tabs[i].url)) {
continue;
}
stylesUpdater.updateQueryParams(windows[w].tabs[i].id, {
reset: true,
gp: windows[w].tabs[i].url // <-- WTF
});
if (windows[w].focused && windows[w].tabs[i].active) {
stylesUpdater.gpStyleUpdate(windows[w].tabs[i]);
}
}
}
});
Hi users of Stylish,
It appears that the Stylish extension (based on the code in this repo) has gained tracking code. Using Rob's excellent CRX Viewer I noticed some fishy code in
src/background.jsthat was loaded on startup and code that was injected in every Google search page. Effects:Recommended steps:
Proof: https://twitter.com/Lekensteyn/status/1014307299475763201
More details:
https://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/
https://bugzilla.mozilla.org/show_bug.cgi?id=1472948
Relevant extract for the first issue (
src/background.js):