A popular browser extension that nearly 2 million people use in Google Chrome, Mozilla Firefox, Opera, or Safari, has secretly recorded users' entire internet history.
The culprit extension is called Stylish, and it enables users to customize how webpages look like inside the popular web browsers. The plugin has 1.8 million users globally, on both Chrome and Firefox.
Browser Extension Stole Online History
Security researcher Robert Theaton was the one to spot the issue, as he'd been using the extension for years. In January 2017, however, Stylish changed owners and became the property of SimilarWeb, which later changed the extension's privacy policy.
Theaton started to suspect something when he noticed what looked like data collection from Stylish. As it turns out, his entire browsing history was recorded and wound up with third-party developers as the Stylish extension was full of spyware.
Even worse, the siphoned browser data could be tied to tidbits of information that make people identifiable in real life, not just online. This, in turn, could leave users vulnerable to blackmailers, hackers, and other such threats.
"It only takes one tracking request containing one session cookie to permanently associate a user account with a Stylish tracking identifier," Theaton points out. "This means that Stylish and SimilarWeb still have all the data they need to connect a real-world identity to a browsing history, should they or a hacker choose to."
"From inside his browser, Stylish could monitor every website he visited," writes Sophos' Naked Security. "Worse, because Heaton had an account login for the extension, it could relate his activity to his identity."
The browser extension sent loads of data back to its servers, including users' entire browsing history, along with a unique identifier. The data even covered Google search results from various queries users made.
Chrome, Firefox And Opera Pull Stylish Extension
Mozilla suddenly removed the Stylish extension from its Firefox Add-Ons, noting that it stood in violation of its data practices. Chrome offered no statement on the matter, but the extension is nowhere to be found, which means that it also removed Stylish. Opera followed suit and pulled the extension as well, as it's no longer among its options.
This means that the extension is no longer available for new users, but the damage is already done for the millions of people who already had the extension installed. Stylish likely stole the browsing history of all of its users worldwide, not just some.