Video: A family of malicious extensions takes over Chrome Web Store.
Google and Mozilla have ejected the popular Stylish extension from their respective catalogs following a complaint that it collects data about website visits in a way that could be used to identify users.
The browser extension, which has about two million users, became a hit because it lets users put their own overlay on websites and hide features they don't want to see.
Software engineer Robert Heaton detailed the extension's demise from what he describes as a useful tool he'd used for several years to the privacy threat it is today.
In a blogpost he argues that the "Stylish browser extension steals all your internet history" and collects enough information to identify individuals from historical web usage.
Some users weren't happy because the free app with no strings attached would collect data about their web usage, albeit anonymized.
SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)
SimilarWeb's current policy outlines that the extension collects HTTP requests, URLs used, anonymized IP addresses, and a range of search-engine data, including keywords, results, links, and ads displayed.
SimilarWeb says, "We are not aware of and cannot determine the identity of the users from whom the non-personal information is collected."
But, according to Heaton, that's wrong because the extension sends users' complete browsing history, along with a unique identifier for each user, to SimilarWeb's servers.
This process allows a technically adept insider or malicious hacker to "theoretically" connect the historical data to an individual, he says.
There is no suggestion SimilarWeb aims to do this, because the company's business model relies on aggregated user data.
Nonetheless, Heaton argues: "This allows its new owner, SimilarWeb, to connect all an individual's actions into a single profile. And for users like me who have created a Stylish account on userstyles.org, this unique identifier can easily be linked to a login cookie. This means that not only does SimilarWeb own a copy of our complete browsing histories, they also own enough other data to theoretically tie these histories to email addresses and real-world identities."
Mozilla removed Stylish from its Firefox Add-ons catalog this week. "We decided to block because of violation of data practices outlined in the review policy," wrote Mozilla software engineer Andreas Wagner.
Stylish has been disabled, but not removed from browsers. However, users will get a warning to restart the browser after which they probably won't be able to reinstall it.
The Stylish page on the Chrome Web Store now returns a 404 page.
For now, users can't install Stylish from these stores but, given this situation isn't a case of an extension being used to serve adware or malware, there's a chance the extension could be approved after a review.
Heaton recommends any Stylish users having trouble to install Stylus, a fork of the pre-analytics Stylish.
Previous and related coverage
Google cuts fake ad blockers from Chrome Store: Were you among 20 million fooled?
Bogus ad-blocker extensions in the Chrome Web Store trick millions of people into installing them.
Google Chrome under attack: Have you used one of these hijacked extensions?
Recent versions of several Chrome extensions have been compromised to spread malicious ads.
Google is killing Chrome inline extensions (TechRepublic)
Google is changing how Chrome users find and install extensions, says TechRepublic's Brandon Vigliarolo.
Firefox gets speed boost from Mozilla memory tricks (CNET)
Too bad website programmers are squandering browser performance boosts.